(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / A website bot as it distributes CVV guesses over multiple sites. (credit: Ali, et al.)

Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers at Newcastle University in the UK. Bad actors can use browser bots to distribute guesses across hundreds of legitimate online merchants.

The attack starts out with a card's 16-digit number, which can be obtained in a variety of ways. Attackers can buy numbers on black-market websites, often for less than $1 apiece, or use a smartphone equipped with a near-field communication reader to skim them. The numbers can also be inferred by combining your first six digits—which are based on the card brand, issuing bank, and card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card. Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds.

The technique relies on Web bots that spread random guesses across almost 400 e-commerce sites that accept credit card payments. Of those, 26 sites use only two fields to verify cards, while an additional 291 sites use three fields. Because different sites rely on different fields, the bots are able to enter intelligent guesses into the user field of multiple sites until the bots hit on the right ones. Once the correct expiration date is obtained for a given card—typically banks issue cards that are valid for up to 60 months—the bots use a similar process to obtain the CVV number. In other cases, when sites allow the bots to obtain the CVV first—a process that can never require more than 1,000 guesses—the bots then work to obtain the expiration date and, if required, the billing address.

Read 6 remaining paragraphs | Comments

Mozilla Network Security Services CVE-2016-9074 Multiple Security Bypass Vulnerabilities
Mozilla Firefox CVE-2016-9065 Location Bar Spoofing Vulnerability
QEMU '/hw/net/mcf_fec.c' Denial of Service Vulnerability
Linux Kernel 'lapic.c' Local Denial of Service Vulnerability
Debian Tomcat Package Multiple Local Privilege Escalation Vulnerabilities
OpenAFS Directory Information Disclosure Vulnerability
BlueZ Buffer Overflow and Denial of Service Vulnerabilities
OpenSSL CVE-2016-2179 Multiple Denial of Service Vulnerabilities
OpenSSL CVE-2016-2180 Local Denial of Service Vulnerability

I produced videos for the Hancitor maldoc mentioned in this diary.

Hancitor Maldoc: Shellcode Dynamic Analysis

Hancitor maldoc: Extracting URLs

EMET vs Hancitor Maldoc

VBA Shellcode To Test EMET

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Buffalo WNC01WH JVN#40613060 Multiple Security Vulnerabilities
IBM AIX CVE-2016-0266 Information Disclosure Vulnerability
CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used
Linux Kernel 'kvm/emulate.c' Information Disclosure Vulnerability
Microsoft Windows Media Center "ehshell.exe" XML External Entity
Microsoft MSINFO32.EXE ".NFO" Files XML External Entity
Linux Kernel CVE-2016-9755 Out of Bounds Write Security Vulnerability
Internet Storm Center Infocon Status