S&K Menswear two-phased attack
Technorati Tag: Security Breach
Date Reported:
12/10/07 (backdated from 1/3/08)
Organization:
S&K Famous Brands (S&K)
Contractor/Consultant/Branch:
None
Victims:
Online customers of www.skmenswear.com
Number Affected:
Unknown*
*25 reported New Hampshire residents
Types of Data:
Names, addresses, email addresses, credit card numbers, and expiration dates.
Breach Description:
According to the breach notification letter sent to the New Hampshire Attorney General, on or about October 24th, 2007 personal information belonging to S&K online customers was accessed without proper authorization. S&K became aware of the unauthorized access after reports of fictitious spear phishing emails began circulating in which the attacker requested the CVV2 codes to match the credit card numbers. It is unknown how many customers were duped by the second phase of the attack.
Reference URL:
New Hampshire Attorney General Breach Notification
Report Credit:
New Hampshire State Attorney General
Response:
From the official breach notification and letter to customers:
This letter is to inform you that S&K Menswear has discovered that you personal information--including your name, address, credit card number, and expiration date--may have been accessed on or about October 24, 2007 without proper authorization.
stored in one of our databases has been retrieved by external sources
S&K was notified of a suspicious e-mail addressed to its customers on Wednesday, October 24th at approximately 3:00 p.m. The e-mail was sent from a fictitious S&K e-mail address. The body of the e-mail appeared to contain an S&K order number and the last four digits of the credit card number used by the customer to whom it was addressed. The e-mail requested that the customer provide a credit card identification number.
[Evan] The "suspicious e-mail" is the second phase of the attack. The credit card number, cardholder name, and expiration date were already obtained in the first phase. This spear phishing attack now aims to get the CVV2 code, which makes this much more valuable to the attacker. I am curious about how many people actually fell for this second phase.
Once notified, S&K immediately assembled a response team to assess the situation.
a decision was made at 3:30 p.m. the same day to disconnect the online store and disable remote access to S&K's network. Further to these actions, S&K:
S&K's investigation of this incident is ongoing.
We want to stress, however, that no social security number, CVV2 data or track 2 magnetic stripe data was compromised at all.
[Evan] This isn't true, unless S&K can say with certainty that NONE of the customers fell victim to the second phase of this attack.
We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and will remain vigilant about protecting you.
We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Question (FAQs), please go to www.skmenswear.com\security\faq.htm or contact us at 1
[Evan] I think the "\" in the URL is supposed to be "/". The first FAQ in the list of FAQs bugged me a little; "Q: Is this a major breach? A: No, our credit card security manager classifies this as minor."
Commentary:
At the top of the customer letter it states:
You do not need to make any changes to your S&K menswear accounts or to change the way you do business with us.
I am going to guess that S&K would be classified as a VISA Level 3 Merchant. Is it safe to assume that S&K is PCI DSS compliant? It sounds like they don't store prohibited data (CVV2, Full Magnetic Stripe, or PIN / PIN Block), but only 55% of Level 3 Merchants are PCI DSS validated as of 9/30/07. It should be easier for customers to find the status of an organization's compliance and information security practices rather than having to guess. Although now that I think about it, compliance doesn't really ensure security does it?
Anyway, I get the feeling that S&K would have liked to keep this breach quiet and minimize it as much as possible.
Past Breaches:
Unknown
Date Reported:12/10/07 (backdated from 1/3/08)
Organization:
S&K Famous Brands (S&K)
Contractor/Consultant/Branch:
None
Victims:
Online customers of www.skmenswear.com
Number Affected:
Unknown*
*25 reported New Hampshire residents
Types of Data:
Names, addresses, email addresses, credit card numbers, and expiration dates.
Breach Description:
According to the breach notification letter sent to the New Hampshire Attorney General, on or about October 24th, 2007 personal information belonging to S&K online customers was accessed without proper authorization. S&K became aware of the unauthorized access after reports of fictitious spear phishing emails began circulating in which the attacker requested the CVV2 codes to match the credit card numbers. It is unknown how many customers were duped by the second phase of the attack.
Reference URL:
New Hampshire Attorney General Breach Notification
Report Credit:
New Hampshire State Attorney General
Response:
From the official breach notification and letter to customers:
This letter is to inform you that S&K Menswear has discovered that you personal information--including your name, address, credit card number, and expiration date--may have been accessed on or about October 24, 2007 without proper authorization.
stored in one of our databases has been retrieved by external sources
S&K was notified of a suspicious e-mail addressed to its customers on Wednesday, October 24th at approximately 3:00 p.m. The e-mail was sent from a fictitious S&K e-mail address. The body of the e-mail appeared to contain an S&K order number and the last four digits of the credit card number used by the customer to whom it was addressed. The e-mail requested that the customer provide a credit card identification number.
[Evan] The "suspicious e-mail" is the second phase of the attack. The credit card number, cardholder name, and expiration date were already obtained in the first phase. This spear phishing attack now aims to get the CVV2 code, which makes this much more valuable to the attacker. I am curious about how many people actually fell for this second phase.
Once notified, S&K immediately assembled a response team to assess the situation.
a decision was made at 3:30 p.m. the same day to disconnect the online store and disable remote access to S&K's network. Further to these actions, S&K:
- Notified credit card issuers
- Purged or masked credit card data on its servers
- Changed all user names and passwords on the system
- Hired a leading provider of information security to conduct a full forensic security audit as required by the major credit card issuers
- Notified various law enforcement agencies including the FBI and Secret Service
S&K's investigation of this incident is ongoing.
We want to stress, however, that no social security number, CVV2 data or track 2 magnetic stripe data was compromised at all.
[Evan] This isn't true, unless S&K can say with certainty that NONE of the customers fell victim to the second phase of this attack.
We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and will remain vigilant about protecting you.
We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Question (FAQs), please go to www.skmenswear.com\security\faq.htm or contact us at 1
[Evan] I think the "\" in the URL is supposed to be "/". The first FAQ in the list of FAQs bugged me a little; "Q: Is this a major breach? A: No, our credit card security manager classifies this as minor."
Commentary:
At the top of the customer letter it states:
You do not need to make any changes to your S&K menswear accounts or to change the way you do business with us.
I am going to guess that S&K would be classified as a VISA Level 3 Merchant. Is it safe to assume that S&K is PCI DSS compliant? It sounds like they don't store prohibited data (CVV2, Full Magnetic Stripe, or PIN / PIN Block), but only 55% of Level 3 Merchants are PCI DSS validated as of 9/30/07. It should be easier for customers to find the status of an organization's compliance and information security practices rather than having to guess. Although now that I think about it, compliance doesn't really ensure security does it?
Anyway, I get the feeling that S&K would have liked to keep this breach quiet and minimize it as much as possible.
Past Breaches:
Unknown
Posted by Evan Francen at 12/10/2007 9:58 AM 
Categories: Phishing, S and K Famous Brands, Hack, S and K Menswear
Categories: Phishing, S and K Famous Brands, Hack, S and K Menswear
Posts Atom 1.0
Comments