[BreachExchange] Hackers leak credit card info from Costa Rica's state bank

Destry Winant destry at riskbasedsecurity.com
Thu May 28 09:16:49 EDT 2020


https://www.bleepingcomputer.com/news/security/hackers-leak-credit-card-info-from-costa-ricas-state-bank/

Maze ransomware operators have published credit card data stolen from
the Bank of Costa Rica (BCR). They threaten to leak similar files
every week.

The hackers are doing this in support of their claim to have breached
BCR in the past and the bank’s denial of these intrusions.

Valid numbers inside

In a post on their “leak” site this week, Maze operators shared a 2GB
spreadsheet with payment card numbers from customers of Banco de Costa
Rica.


The attackers say that they released the data because they are not
looking to make any profit off it. Instead, they want to draw
attention to the bank’s security lapses when it comes to protecting
sensitive information.

Several screenshots from the database accompany the announcement,
showing unencrypted credit card numbers. Together, the images contain
data for at least 50 cards (some are listed multiple times).
Previously, they published over 100 partial numbers (last four digits
removed) with expiration date and verification codes.

BleepingComputer checked several numbers with two online validation
services and most of them passed the check. Bank identification number
(BIN) details showed that they were Visa or MasterCard debit cards
issued by BCR.

It should be noted that one of the card validation sites states that
the validity of a number does not guarantee that it is also in use.
However, the details were confirmed when verified on a second online
checker.

On April 30, Maze ransomware operators claimed to have more than 11
million cards from BCR, with 4 million being unique and 140,000
belonging to “US citizens.”

Maze said that they first gained access to the bank’s network in
August 2019 and again in February 2020, to check if security had
improved.

They chose to exit without encrypting the systems the second time
because it “was at least incorrect during the world pandemic” and “the
possible damage was too high.” But they did not leave empty-handed.

Battle of statements

BleepingComputer contacted BCR on May 1 to confirm either of the two
incidents but received no reply. However, the bank issued a public
statement that day saying that following an “exhaustive verification”
they can “firmly confirm that the institution’s systems have not been
violated.”

In response, Maze released four days later a spreadsheet with details
about systems they claim to be from BCR’s network. On May 21 they
dumped the payment card data.

The bank issued another statement on May 22 reiterating that multiple
analyses from internal and external specialists confirmed that the
systems were not accessed without authorization and that clients’
transactions were not impacted.

At the beginning of the month, Maze told BleepingComputer that they
reached out to the bank multiple times with a ransom demand and that
they may sell the card data on the dark web.

Even if they spared BCR's systems from encryption, the ransom was for
showing the institution the vulnerable spots on its network.


More information about the BreachExchange mailing list