14 DAY TRIAL // A batch of cards that appear to belong to customers of Bebe stores in the United States have been discovered on an underground website that enables trading of stolen goods.
The information has been verified by several financial institutions, which purchased some cards and checked them for a merchant they had in common in order to determine where the leak occurred.
Point-of-sale malware used to steal card information
Since Bebe was the retailer they all had in common, it is safe to assume that this is where the attackers hit. The online payment system does not seem to be affected by the incident because the crooks sold the information on the magnetic strip, which is obtained by malware planted on a point-of-sale system, when the card is swiped.
Security blogger Brian Krebs learned about all this earlier this week and started an investigation on the matter. Unfortunately, he has yet to get a response from Bebe representatives because no reply was received upon trying to contact them via emails and phone.
Bebe has more than 200 stores in the United States, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Canada. At the moment, there are no details about the specific locations that have been compromised.
Seller advertises card data as the “Happy Winter Update” batch
The batch of cards were purchased by the financial institutions for verification purposes from goodshop[.]bz, an underground shop that has been set up recently, Krebs says.
These were part of a package released on December 1 and called “Happy Winter Update” by the seller, whose identity remains unknown. The price for one card ranged from $10 / €8 to $27 / €22.
It was discovered after analyzing the transactions the compromised cards had been used for at Bebe retailer between November 18 and November 28, but this time interval does not suggest that the breach is over and it may very well continue at the moment.
This type of attack is similar to those affecting customers of Home Depot, Dairy Queen, or Kmart that happened this year. In the case of Home Depot, data from 56 million cards has been exposed; an additional 53 million email addresses have also been confirmed lost by the retailer.
The cost resulting from the breach so far is $43 / €34.5 million, but the company estimates that future expenses may be incurred, according to a regulatory filing with the Securities and Exchange Commission (SEC).
