Online shops plundered by bank card-stealing malware after bungling backend Aptos hacked

'We were silenced by the Feds!'


Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos.

The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access customer payment card numbers and expiration dates, full names, addresses, phone numbers and email addresses, we're told.

Rather than being alerted to the infiltration by Aptos itself, instead we were warned this week by Aptos' customers – the retailers whose websites were infected by the malware on the backend provider's servers.

According to these stores, which have had to file computer security breach notifications with state authorities, the malware was active on Aptos systems from February through December of 2016.

A spokesperson for Aptos – based in Atlanta, Georgia – told The Register the biz had been working with the FBI and US Department of Justice to investigate the ransacking, and was required to keep quiet about the infection for two months before notifying its customers.

"As the 60-day period expired on Sunday, February 5, we contacted impacted retailers starting on Monday, February 6 to provide a synopsis of the situation," Aptos said.

"We are working closely with the specific digital commerce customers who were impacted by this incident to ensure affected consumers are notified in a transparent, accurate and timely manner in accordance with US-based state disclosure laws for data security incidents."

Among the affected companies is Liberty Hardware, which told the state of Montana that it was notified of the breach on February 7.

"Aptos has informed us that they discovered the intrusion in November 2016," Liberty Hardware said. "We understand that Aptos then contacted Federal law enforcement agencies and the US Department of Justice, and law enforcement requested that notification to businesses (including Liberty Hardware) be delayed to allow the investigation to move forward."

Some of the customers, such as sweets site Affy Tapple, are footing the bill for a year's credit monitoring for customers exposed by the breach. "Aptos has advised us that the unauthorized person(s) potentially had access to the payment card transaction records of 19 of Affy Tapple's customers with billing addresses in Washington," the site says.

Other businesses will likely be following with their own disclosures. Aptos said it is letting the companies affected handle the notifications on their own and will not name them individually. So if you shopped online around November last year, and you get a note from one of the 40 affected websites confessing your payment card details were stolen, you know who to blame.

Aptos, its CEO Noel Goggin, and his team. ®


Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022