Credit Card Breaches – Kmart, DQ, and Qbot, oh my!

Several credit card beaches were recently announced in the news. Just last week, we heard more details about Dairy Queen’s breach, the Qbot (not related to the coupon scanning smartphone app!) malware installed in hundreds of thousands of PCs, and Friday afternoon, Krebs from the security blog Krebs On Security (www.krebsonsecurity.com) broke the news that Kmart had their own breach.

DQ
Dairy Queen released a list of known compromised locations on Oct. 9th. The full list can be found here: (http://www.dairyqueen.com/us-en/datasecurityincident/affected-stores/?localechange=1&) DQ has 4,500 locations and only 395 were affected. Chances are that you’re ok, but if you’ve used a credit card or debit card at a Dairy Queen since the beginning of August, check the list just to be safe.

Qbot
Again, I just want to reiterate, this has nothing to do with the smartphone app. You are safe to use the qr-scanning coupon program all you want if you’re comfortable with your information being used for marketing research and potentially being sold off. You can view their smartphone app’s privacy policy here: (https://qbot.com/privacy-policy/)

So what Qbot are we discussing here? It’s a strain of malware (also known as QakBot) that’s stolen the information for nearly 800,000 accounts so far. There are over 500,000 infections of this malware and most seem to be targeting U.S. banks and their customers, with some of the infections occurring on a bank’s internal network. This is some scary stuff.

According to Trend Micro, Qbot monitors activity on the following websites:

* access.jpmorgan.com
* business-eb.ibanking-services.com
* businessaccess.citibank.citigroup.com
* businessonline.huntington.com
* cpw-achweb.bankofamerica.com
* directline4biz.com
* directpay.wellsfargo.com
* ebanking-services.com
* express.53.com
* ibc.klikbca.com
* itreasury.regions.com
* itreasurypr.regions.com
* ktt.key.com
* moneymanagergps.com
* onb.webcashmgmt.com
* onlineserv/CM
* premierview.membersunited.org
* tmconnectweb
* treas-mgt.frostbank.com
* treasury.pncbank.com
* web-cashplus.com
(note: the ones that are not full domains are keywords the malware recognizes in the URI of a website)

Kmart
Friday afternoon, Sears Holding Co., the owners of the Kmart brand, announced that their IT teams discovered malware infections on point-of-sale systems that compromised customer credit and debit card information. They do not have exact dates for us, but Chris Brathwaite, spokesman for Sears, said the investigation shows the breach began in early September. They did not give an exact date for when they cleaned the malware from affected systems, but did say that the systems are clean now.

I cringe every time I hear about a retail breach. I use my debit card everywhere, even though I know it makes me more likely to be a victim of one of these breaches. We can’t live in fear. Consumer protection laws are in place to cover us in these types of situations, and banks are getting very good at identifying and preventing fraudulent transactions. Trust, but verify. Go over your statements every month or check your online account often from a trusted computer and monitor the transactions you see. If you don’t recognize a transaction, contact your bank immediately.

Tigran Loftside is a security professional working for one of America’s largest retailers. He has over 20 years combined experience with computer operations, repair, systems administration, and cyber security.

tigran.loftside@gmail.com'

Author: Tigran Loftside

Tigran Loftside is a security professional working for one of America's largest retailers. He has over 20 years combined experience with computer operations, repair, systems administration, and cyber security.

Share This Post On