Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.

A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

Arby’s has more than 3,330 stores in the United States, and roughly one-third of those are corporate-owned. The remaining stores are franchises. However, this distinction is likely to be lost on Arby’s customers until the company releases more information about individual restaurant locations affected by the breach.

“Although there are over 1,000 corporate Arby’s restaurants, not all of the corporate restaurants were affected,” said Christopher Fuller, Arby’s senior vice president of communications. “But this is the most important point: That we have fully contained and eradicated the malware that was on our point-of-sale systems.”

The first clues about a possible breach at the sandwich chain came in a non-public alert issued by PSCU, a service organization that serves more than 800 credit unions.

The alert sent to PSCU member banks advised that PSCU had just received very long lists of compromised card numbers from both Visa and MasterCard. The alerts stated that a breach at an unnamed retailer compromised more than 355,000 credit and debit cards issued by PCSU member banks.

“PSCU believes the alerts are associated with a large fast food restaurant chain, yet to be announced to the public,” reads the alert, which was sent only to PSCU member banks.

Arby’s declined to say how long the malware was thought to have stolen credit and debit card data from infected corporate payment systems. But the PSCU notice said the breach is estimated to have occurred between Oct. 25, 2016 and January 19, 2017.

Such a large alert from the card associations is generally a sign of a sizable nationwide breach, as this is likely just the first of many alerts Visa and MasterCard will send to card-issuing banks regarding accounts that were compromised in the intrusion. If history is any lesson, some financial institutions will respond by re-issuing thousands of customer cards, while other (likely larger) institutions will focus on managing fraud losses on the compromised cards.

The breach at Arby’s comes as many credit unions and smaller banks are still feeling the financial pain from fraud related to a similar breach at the fast food chain Wendy’s. KrebsOnSecurity broke the news of that breach in January 2016, but the company didn’t announce it had fully removed the malware from its systems until May 2016. But two months after that the company was forced to admit that many Wendy’s locations were still compromised.

B. Dan Berger, president and CEO of the National Association of Federal Credit Unions, said the number of cards that PSCU told member banks were likely exposed in this breach is roughly in line with the numbers released not long after news of the Wendy’s breach broke.

“Hundreds of thousands of cards is a big number, and with the Wendy’s breach, the alerts we were getting from Visa and MasterCard were in the six-digit ranges for sure,” Berger said. “That’s probably one of the biggest numbers I’ve heard.”

Berger said the Wendy’s breach was especially painful because the company was re-compromised after it scrubbed its payment systems of malicious software. Many banks and credit unions ended up re-issuing customer cards several times throughout last year after loyal Wendy’s customers re-compromised their brand new cards again and again because they routinely ate at multiple Wendy’s locations throughout the month.

“We had institutions that stopped approving debit and credit transactions through Wendy’s when they were still dealing with that breach,” Berger said. “Our member credit unions were eating the costs of fraud on compromised cards, and on top of that having to re-issue the same cards over and over.”

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

According to an indictment returned in federal court in Chicago, Persaud used multiple Internet addresses and domains – a technique known as “snowshoe spamming” – to transmit spam emails over at least nine networks.

The Justice Department says Persaud sent well over a million spam emails to recipients in the United States and abroad. Prosecutors charge that Persaud often used false names to register the domains, and he created fraudulent “From:” address fields to conceal that he was the true sender of the emails. The government also accuses Persaud of “illegally transferring and selling millions of email addresses for the purpose of transmitting spam.”

Persaud is currently listed as #8 on the World’s 10 Worst Spammers list maintained by Spamhaus, an anti-spam organization. In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. Persaud did not contest the charges and was ordered to pay more than a half-million dollars in restitution and damages.

In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers.

Persaud declined to comment for this story. But he maintains that his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States. The law prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.

Persaud told FBI agents who raided his home last year that he currently conducts internet marketing from his residence by sending a million emails in under 15 minutes from various domains and Internet addresses.

The indictment charges Persaud with ten counts of wire fraud and seeks the forfeiture of four computers. Each count of wire fraud is punishable by up to 20 years in prison. If convicted, the court must impose a reasonable sentence under federal statutes and sentencing guidelines.

Persaud was charged in Chicago because at least two of the servers he allegedly used to conduct snowshoe spamming operations were located there (named only as victims “B” and “F” in the government’s indictment). A copy of the indictment against Persaud is here (PDF).

For more on how spam allegedly sent by Persaud was traced back to his companies, see my story from November 2014, Still Spamming After All These Years. For a deeper understanding of why and how spam is the engine that drives virtually all other forms of cybercrime, check out my book — Spam Nation: The Inside Story of Organized Cybercrime.

The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

The House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.

But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge.

HR 387’s sponsor Kevin Yoder (R-Kan.) explained in a speech on the House floor Monday that back in when the bill was passed, hardly anybody stored their personal correspondence “in the cloud.” He said the thinking at the time was that “if an individual was leaving an email on a third-party server it was akin to that person leaving their paper mail in a garbage can at the end of their driveway.”

“Thus, that individual had no reasonable expectation of privacy in regards to that email under the Fourth Amendment,” Yoder said.

Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said a simple subpoena also can get law enforcement the following information about communications records (in addition to the content of emails stored at a service provider for more than 180 days):

-name;
-address;
-local and long distance telephone connection records, or records of session times and durations;
-length of service (including start date) and types of service utilized;
-telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
-means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.

The Email Privacy Act does not force investigators to jump through any additional hoops for accessing so-called “metadata” messaging information about stored communications, such as the Internet address or email address of a message sender. Under ECPA, the “transactional” data associated with communications — such as dialing information showing what numbers you are calling — was treated as less sensitive. ECPA allows the government to use something less than a warrant to obtain this routing and signaling information.

The rules are slightly different in California, thanks to the passage of CalECPA, a law that went into effect in 2016. CalECPA not only requires California government entities to obtain a search warrant before obtaining or accessing electronic information, it also requires a warrant for metadata.

Activists who’ve championed ECPA reform for years are cheering the House vote, but some are concerned that the bill may once again get hung up in the Senate. Last year, the House passed the bill in an unanimous 419-0 vote, but the measure stalled in the upper chambers of the Senate.

The EFF’s Tien said he’s worried that the bill heading to the Senate may not have the support of the Trump administration, which could hinder its chances in a Republican-controlled chamber.

“The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.

Whether the bill even gets considered by the Senate at all is bound to be an issue again this year.

“I feel a little wounded because it’s been a hard fight,” Tien said. “It hasn’t been an easy fight to get this far.”

The U.S. government is not in the habit of publishing data about subpoenas it has requested and received, but several companies that are frequently on the receiving end of such requests do release aggregate numbers. For example, Apple, Facebook, Google, Microsoft and Twitter all publish transparency reports. They’re worth a read.

For a primer on protecting your communications from prying eyes and some tools to help preserve your privacy, check out the EFF’s Surveillance Self-Defense guide.

InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties nationwide. News of the breach was first reported by KrebsOnSecurity more than a month ago.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.

According to IHG, we may not yet know the full scope of this breach: The company advised that its investigation into other properties in the Americas region is ongoing.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

The third week of September 2016 was a dark and stormy one for KrebsOnSecurity. Wave after wave of huge denial-of-service attacks flooded this site, forcing me to pull the plug on it until I could secure protection from further assault. The site resurfaced three days later under the aegis of Google’s Project Shield, an initiative which seeks to protect journalists and news sites from being censored by these crippling digital sieges.

Damian Menscher, a Google security engineer with whom I worked very closely on the migration to Project Shield, spoke this week about the unique challenges involved in protecting a small site like this one from very large, sustained and constantly morphing attacks.

Addressing the Enigma 2017 security conference in Oakland, Calif., Menscher said his team only briefly considered whether it was such a good idea to invite a news site that takes frequent swings at the DDoS-for-hire industry.

“What happens if this botnet actually takes down google.com and we lose all of our revenue?” Menscher recalled. “But we considered [that] if the botnet can take us down, we’re probably already at risk anyway. There’s nothing stopping them from attacking us at any time. So we really had nothing to lose here.”

Ars Technica’s Dan Goodin was at the Engima conference and filed this report:

“It took only about an hour for Menscher’s team to arrive at the decision to help Krebs. A much more lengthy process involved actually admitting KrebsOnSecurity into Project Shield…A key requirement for admittance is that the person requesting service proves they have control over the site. Because KrebsOnSecurity was down at that moment, Krebs was unable to satisfy this requirement.

Making matters worse, the domain-name system settings KrebsOnSecurity used had been locked to thwart the attempted domain hijacking attacks that regularly targeted the site. That prevented Krebs from showing he had control of the site’s DNS settings.

Once Project Shield ultimately got KrebsOnSecurity back online, it took just 14 minutes for the attacks to resume.”

For more, check out Dan Goodin’s excellent piece, How Google Fought Back Against a Crippling IoT-Powered Botnet and Won. And a rolling thanks to Damian (a true mensch) and to Project Shield for deflecting the evil bits.

For more background on the botnet responsible for knocking this site offline, see Who is Anna-Senpai, the Mirai Worm Author?