Limo Broker Breach Compromises A-Lister, CEO and Pol Data. And, There’s No Limit to a Quarter of the 850,000 Credit Card Numbers Hackers Got Away With.

Posted on December 2nd, 2013 by Dan Rampe

CorporateCarOnline2

More than 241,000 of the 850,000 credit card numbers, expiration dates and addresses stolen from CorporateCarOnline.com by hackers were for high- or no-limit American Express accounts — card numbers which have a very high resale value in the cybercrime underground. And the names of the people whose private information was ripped off is a Who’s Who of the rich and famous, including Tom Hanks, Donald Trump and LeBron James.

According to Brian Krebs’s story on KrebsOnSecurity, “The high-value data cache was found (in a file archive reading CorporateCarOnline) on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc.– suggesting that the same attacker(s) may have been involved in all three compromises.” Not that you need reminding and Adobe would almost definitely prefer not to be reminded, but in the Adobe breach 38,000,000 customers’ data was compromised – though most were not nearly as famous the people in the CorporateCarOnline.com breach.

Krebs writes, “Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research…said CorporateCarOnline confirmed to him that the data was stolen from its systems. “While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”

“Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.”

Especially since many of the individuals whose information was stolen were well known, precious bits of trivia could be gleaned from the information. Following are a few examples.

A chauffeur driving Tom Hanks to a Chicago restaurant for dinner was advised that the client was a “VVIP” who required “No cell/radio use” by the driver.

A chauffeur meeting Latin American textile magnate Josue Christiano Gomes da Silva inside an airport luggage claim area was advised: “SUPER VIP CLIENT. EVERYTHING MUST BE PERFECT!”

Donald Trump required a new car with a clear front seat. C’mon is that really too much to ask? We thought he might’ve wanted a hair stylist at least.

A note to the driver who was to pick up Michael D. Grimes, co-head of global technology investment banking for Morgan Stanley said; “Always wants ‘Michael David’ for name sign. Do not use last name!“

But, all this could be the proverbial tip of the iceberg as to what mischief could be done by an unscrupulous cybercriminal. Krebs writes, “This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage. Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet. Such information would be extremely useful in the hands of nation-state level attackers.”

Krebs quotes a piece in Foreign Policy magazine that featured an interview with Kevin Mandia, the CEO of Mandiant, a company specializing in helping companies defend against cyberespionage.

Notes Krebs, “Mandia said he recently was the target of a targeted cyberattack that tried to (send) malicious spyware to him via an email with a booby-trapped PDF copy of a recent limo invoice. ‘I’ve been receiving PDF invoices not from (the limo service), but from an (advanced hacking) group back in China…’”

Mandia only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. His security people confirmed they contained a malicious payload.

Krebs observes that the hacked CorporateCarOnline database may have played a part in the attacks because Mandia employees were among the 850,000 stolen records.

Krebs points out what a tabloid could do with information from the database, “Simple text searches for certain words (‘sex,’ ‘puke’ ‘arrest’ ‘police,’ ‘smoking pot’) reveal dozens of records detailing misbehavior and all kinds of naughtiness by executives, celebrities and people you might otherwise expect to behave civilly.

“For example, the following is an explanation taken from a limo reservation made back in May 2006 by a woman working for MTV. The limo in question was actually a stretch Hummer with capacity to seat 14 passengers, and was rented for the occasion of visiting a series of wineries in Long Island, NY.

“When the stretch Hummer returned to the shop after (dropping off) its passengers, the fleet’s owners discovered that the vehicle had been plastered with cheese slices and crackers, and that someone had left behind a sex toy:”

The limo company wrote to the people who’d hired the service, “After the vehicle returned to base we discovered that it was left in a complete mess. Slices of cheese were all over the seats, windows and the bars. On top of that, crackers were left on the floor and seats crushed by people sitting and walking all over it.

“We are transportation company not a restaurant and we specifically put in our terms and conditions that we do not allow any food in our limousines. Also we do not allow any sexual activities in the car and we have found a sex toy while cleaning the car. We have charged your card for cleaning fee of $100 since we had to send limousine to the car wash to get it detailed after all the activities during your rental.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.