Someone Snuck a Card Skimmer Into Costco to Steal Shopper Data

By Kevin Colleran On Nov 13, 2021

This week, security researchers from Google uncovered a so-called watering hole attack that indiscriminately targeted Apple devices in Hong Kong. Hackers compromised media and pro-democracy websites in the region to distribute malware to any visitors from an iPhone or Mac, placing a backdoor that let them steal data, download files, and more. Google didn’t attribute the campaign to any specific actor, but did note that “the activity and targeting is consistent with a government-backed actor.” The incident echoes the 2019 revelation that China had targeted thousands of iPhones in a similar manner—at the time, a wake-up call that iOS security isn’t as infallible as it’s perceived.

The Justice Department also announced its most significant ransomware enforcement actions yet, arresting one alleged hacker associated with the notorious REvil group and seizing $6.1 million of cryptocurrency from another. There’s still a long way to go to rein in the broader ransomware threat, but showing that law enforcement can actually extract a consequence is an important start.

If you’ve noticed that TikTok is pushing you to connect more with friends and family—rather than limiting your feed to talented and engaging strangers—you’re not alone. The platform has taken some unprecedented steps in recent months to figure out who your friends are in real life, raising concerns about both privacy and whether TikTok’s changes will undermine what makes the social network so appealing in the first place.

Lastly, at this week’s RE:WIRED conference we spoke with Jen Easterly, director of the Cybersecurity and Information Security Agency, about the challenges she and the US government as a whole face from increasingly sophisticated adversaries. Having come up through the ranks via the NSA and the Pentagon, Easterly is used to offensive cyber operations. Her job now? Play some defense. Preferably, she says, with the help of the broader hacker community.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

You may normally associate card-skimmer attacks—which impersonate credit card readers to steal your payment info—with ATMs and gas pumps, to the extent that you think of them at all. But recently someone placed a card-skimming device in a Costco warehouse, of all places. An employee discovered the interloping equipment during a “routine check,” according to a report from BleepingComputer. The company has informed people whose credit card info may have been stolen. It’s a good reminder to double-check where you stick your plastic—or stick with NFC payments.

Earlier this week, Robinhood disclosed a “security incident” in which a hacker used social engineering to access an email list of 5 million people, the full names of 2 million people, and the name, date of birth, and zip codes of 310 people. Motherboard went on to report that the attackers had in fact accessed internal tools that could have let them disable two-factor authentication for users, log them out of their accounts, and view their balance and trading information. Robinhood says that customer accounts weren’t tampered with, but that doesn’t help much with the fact that they apparently could have been quite easily.

Spyware manufacturer NSO Group has been no stranger to controversy lately, and was recently placed on the US Entity List because it allegedly “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” Now, researchers at the nonprofit Frontline Defenders say they’ve found the company’s Pegasus malware on the phones of six Palestinian activists. They couldn’t definitively tie the origin of the malware to a specific country or organization, but the incident is just the latest in a long line of surveillance malware being used where it expressly shouldn’t.