Eliana Willis

Researchers with D3Lab have discovered the data of almost one million credit card holders being sold on an underground forum, according to a blog post released this week. In a sample of 980,930 files acquired by D3Lab analysts on Monday, the batch contained names, addresses, credit card numbers, expirations and CVVs. About 30,000 entries in the data set came from people living in Italy, based on identifications tied to the stolen cards. D3Lab analysts found the information on a carding database called All World Cards. 
D3Lab
All World Cards is a haven for online credit card thieves involved in things like magecart attacks, information stealing malware and point-of-sale attacks. D3Lab noted in their report that carding sites generally get most of their stolen credit cards from point-of-sale attacks at gas stations, supermarkets and some e-commerce sites. The report found that the people behind All World Cards have been marketing their site and services since June and may have purchased stolen credit card data and shared it for free “to entice other criminal actors to frequent their site.”The domain for allworld [.] Cards was created in May and the site now has 2,634,615 stolen credit cards, with more than 1 million coming from the US. 

After examining the data, D3Lab researchers sent the information to the banks represented in the leak so that the cards could be cancelled and users could be notified. Half of the cards in the batch are still operational, according to D3Lab. With the help of a BIN database, the researchers managed to verify the stolen records and figure out the companies, issuers and other data on the victims. Of the 980,930 stolen cards, 98% had a valid BIN associated with an emitter, according to D3Lab, while nearly every card came from either Visa or Mastercard.More than 75% of the cards were debit cards and 24% were Gold, Business or Titanium cards. India was the most represented country in the batch, with 20% of cards coming from the country followed by Mexico and the US with 9%. About 4% came from Italy as well. Javvad Malik, security awareness advocate at KnowBe4, told ZDNet that the cards were stolen between 2018 and 2019, making it difficult to determine where the data came from or if it came from multiple sources. Carding has become a lucrative avenue for cybercriminals, explained PerimeterX senior director Uriel Maimon. Attackers use bots to test lists of recently stolen credit card and debit card details on merchant sites. The carders then use the proven credit card details to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers, Maimon explained. “These goods are then resold — often via ecommerce sites offering a degree of anonymity — for a profit. As these cards were stolen between 2018-2019, it stands to reason that most are no longer valid, especially if they’re publicly dumped and multiple actors will jump on them at the same time.” In December 2020, the FBI and Interpol seized four domains operated by Joker’s Stash, the internet’s largest marketplace for buying and selling stolen card data. The site announced it was officially shutting down in February. BleepingComputer noted that cybersecurity company Cyble imported the stolen data into their AmIBreached service, so people can check if their credit card information was involved.  More

Security company McAfee on Tuesday published second quarter financial results, adding more than half a million core Direct to Consumer subscribers in the quarter. Second quarter diluted earnings, including both continuing and discontinued operations, came to 21 cents per share. Net revenue was $467 million, reflecting growth of 22 percent year-over-year. Analysts were expecting earnings of 18 cents per share on revenue $433.99 million.”We are very pleased with our team’s execution this quarter,” said Peter Leav, McAfee’s President and Chief Executive Officer.  “Not only did McAfee deliver another solid quarter with revenue, DTC subscribers, profitability and cash flow from operations growing double-digits, but did so while simultaneously closing the transaction to sell the Enterprise Business…  We look forward to continuing our journey as a pure-play consumer business.”McAfee in Q2 completed the sale of its Enterprise Business for $4 billion in cash. Meanwhile, it added 556,000 DTC subscribers, bringing its total number of subscribers to 19.4 million. A year earlier, the company had 16.6 million core DTC subscribers. McAfee also in Q2 signed a multi-year extended agreement with Samsung to deliver consumer security solutions to Samsung device users.For the third quarter, McAfee expects revenue between $461 million and $467 million.

Tech Earnings More

Microsoft has released 44 security fixes for August’s Patch Tuesday, with seven of the vulnerabilities being rated critical. There were three zero days included in the release and 37 were rated as important. 

ZDNet Recommends

Thirteen of the patches involved a remote code execution vulnerability while another eight revolved around information disclosure. The affected tools included .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and more.One of the most prominent patches released in the latest batch covers the Windows Print Spooler Remote Code Execution vulnerability, which has been a major topic of discussion since it was discovered in June. Microsoft also faced backlash from the security community for bungling the release of patches meant to address the issue. The fixed zero day bugs include:The Windows Update Medic Service Elevation of Privilege vulnerability is the only one that has been exploited in the wild, according to Microsoft’s report, but they do not explain how, where, or by whom. Security expert Allan Liska said CVE-2021-36948 stood out to him because of its similarities to CVE-2020-17070, which was published in November 2020.

“Obviously, it is bad that it is being exploited in the wild, but we saw almost the exact same vulnerability in November of 2020 but I can’t find any evidence that that was exploited in the wild,” Liska said. “So, I wonder if this is a new focus for threat actors.”Liska added that CVE-2021-26424 is a vulnerability to keep and eye on because its a Windows TCP/IP Remote Code Execution vulnerability impacting Windows 7 through 10 and Windows Server 2008 through 2019.”While this vulnerability is not listed as publicly disclosed or exploited in the wild, Microsoft did label this as ‘Exploitation More Likely’ meaning that exploitation is relatively trivial. Vulnerabilities in the TCP/IP stack can be tricky. There was a lot of concern earlier this year around CVE-2021-24074, a similar vulnerability, but that has not been exploited in the wild,” Liska explained. “On the other hand, last year’s CVE-2020-16898, another similar vulnerability, has been exploited in the wild.” The LSA spoofing vulnerability is related to an advisory Microsoft sent out late last month about how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.Discovered in July by French researcher Gilles Lionel, the PetitPotam take on the NTLM Relay attack can “coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.” It was never found to have been exploited. The Zero Day Initiative noted that Adobe also released two patches addressing 29 CVEs in Adobe Connect and Magento. ZDI said it submitted eight of the bugs in the recent Microsoft report and explained that this is the smallest number of patches released by Microsoft since December 2019. They attributed the decline to resource constraints considering Microsoft devoted extensive time in July responding to events like PrintNightmare and PetitPotam.”Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system,” ZDI said.”One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note that it needs neither privileges or user interaction to be exploited.”The next Patch Tuesday is September 14.  More

When choosing a VPN, you’ve got an insane amount of choices. In our best of guide and speed test guide, we’ve narrowed down the list from the wide array of branded commercial options out there to about 10. But that is still a lot to dig through. Which do you choose? In this article, we’ve taken three of our top choices — ExpressVPN, Surfshark, and NordVPN — and compared their characteristics. This isn’t a one-size-fits-all competition. You’ll need to decide which factors matter most to you, and from that, you can choose which product you want to test out. Keep in mind that all three products offer trial periods. We strongly encourage you to take advantage of that period to see which performs best in all of the likely situations where you’ll be using a VPN. And with that, let’s dive in.

Surfshark wins, ExpressVPN implodes

Winner: SurfsharkVPN providers are always tinkering with their pricing, so these numbers are bound to change.That said, Surfshark is the least expensive, by quite a lot. Surfshark’s best deal is what they tout as $2.49 a month plan (you’ll really be paying $59.76 now for two years of service). Nord is asking for $3.67 (or a wallet hit of $89 on signup for two years of service).ExpressVPN’s best deal is what they tout as $6.67 a month (you’ll really be paying $99.95 now for 15 months of service). After that 15 months, you’ll be charged $99.95 every 12 months, so the per-month price is essentially going up about a buck and a half after that first year. If you want two years of service, you’ll be paying $59.76 for Surfshark, $89 for NordVPN, and $150 ($99 for the first 15 months, plus half of $99 for the next 12) for ExpressVPN.Surfshark definitively wins this round by allowing you to run an unlimited number of devices with its Surfshark VPN service, while Nord permits just six six simultaneous connections. And ExpressVPN gives you even less for it’s much more expensive price: just five simultaneous connections.At least all offer a 30-day money-back guarantee.

NordVPN wins by a hair, Surfshark loses by a mile

(Image: ZDNet/David Gewirtz)

Winner: NordVPNIn our fastest VPN guide, we took a look at both our own in-house tests and how the Internet overall rated open VPNs. We compared VPN rankings in speed tests from 10 sites besides ZDNet. Of potentially more interest, we compared the standard deviation of those rankings, which helps us determine whether a given VPN has a consistent ranking all across the internet, or different reviewers got wildly different numbers.As the above slide shows, NordVPN not only had a better aggregate average ranking but a considerably lower standard deviation than either of the other two players. This means that pretty much wherever you are, your NordVPN performance should be pretty good. ExpressVPN gave NordVPN a run for its money. While ExpressVPN’s aggregate speed didn’t quite match Nord’s it was in the ballpark. Likewise, its standard deviation was a bit more wobbly, meaning it was a tad bit less consistent than Nord. But, honestly, either choice would be a win from a speed perspective.By contrast, Surfshark is both slower and considerably less predictable. While Nord and VPN are running pretty much neck and neck, the definitive loser here is Surfshark.

ExpressVPN wins

Winner: ExpressVPNAll three VPN players support the big four: iOS, Android, Mac, and Windows.ExpressVPN also supports Linux, routers, and Kindle Fire. It supports Xbox, Playstation, and the Nintendo Switch as well as browsers Chrome, Edge, and Firefox. When it comes to TV support, ExpressVPN lists Apple TV, Amazon FireTV, Samsung, Roku, Nvidia Shield, Chromecast, LG Smart TVs, Android TV, and others that require more of a manual setup process. Additionally, it offers setup instructions for Synology and QNAP NAS appliances.In addition to its big four clients, NordVPN lists Android TV, Linux, and Chrome and Firefox extensions on its download page, but has a support page for installing NordVPN on other platforms, including routers, Raspberry Pi, and NAS boxes including Synology, Western Digital My Cloud, and QNAP.Besides iOS, Android, Mac, and Windows, Surfshark also supports Linux, FireTV, Apple TV/iPhone, and what it calls “other TVs.” It supports Xbox and Playstation as well as browsers Chrome and Firefox.The fact is, all three products support a reasonably wide range of devices, but we have to give the win to ExpressVPN. You can keep digging down in the support pages and there are more and more devices with install tutorials, the deeper you dig.

Three-way tie

Winner: ExpressVPN, Surfshark, and NordVPNI always like to make sure this point is stressed in all my VPN coverage: if you’re counting on a VPN for your physical freedom or to protect your life, it’s important that you do a lot more research than just reading an article like this. With that said, let’s look at the overall security profile for these three vendors.NordVPN has got a lot of mileage out of its Panamanian corporate registration, claiming that Panama puts its records out of the legal reach of governments and lawyers. As I discussed in great depth in my analysis of NordSec, it’s possible that countries with Mutual Legal Assistance Treaties (MLAT) may well be able to pierce the corporate veil.Although I didn’t do as deep an in-depth analysis of ExpressVPN, the company has similar claims and limits as Nord. ExpressVPN lists its registry in the British Virgin Islands but is a company with developers based in many MLAT countries as well.Surfshark also has the same basic claims and limits as Nord. Surfshark lists its registry in the British Virgin Islands, but like Nord and ExpressVPN, it’s a company with developers based in many MLAT countries as well. Surfshark boasts a private DNS service among its advanced features so you can be protected even while using public Wi-Fi whether you’re in Australia, Hong Kong, the Netherlands, the USA, or anywhere in between. Surfshark also says it passed the German company Cure53’s security audit and offers uncrackable AES-256 bit encryption alongside its strict no-logs policy, but the German audit was limited to Surfshark’s browser extensions.All three vendors tout a no-logs policy. All three say they don’t capture VPN connection time stamps, used bandwidth, traffic logs, IP addresses, or browsing data but there are some nuances here. NordVPN says it doesn’t track used bandwidth, while ExpressVPN says it tracks the total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to. All three offer warrant canaries. All three also capture email addresses and billing information. NordVPN says it doesn’t track used bandwidth, while ExpressVPN says it tracks total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to.All three accept cryptocurrencies. This makes it safer to use apps such as PayPal and use your credit card without having fear of security breaches. ExpressVPN says it tracks the total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to.So, which is more secure? Honestly, they’re very close. We probably wouldn’t feel comfortable putting our lives in the hands of any of these three companies (not that they’re doing anything wrong, but just because it’s a scary concept), but we’d certainly feel reasonably comfortable letting them protect our Wi-Fi surfing when out and about.

NordVPN and Surfshark tie

Winner: NordVPN and SurfsharkAll three vendors offer a kill switch, which we consider table stakes in terms of VPN special features.Both Nord and Express offer split tunneling, allowing you to channel some traffic through the VPN and the rest through your local connection without VPN interference.Surfshark offers a multi-hop connection, which is similar to NordVPN’s feature causing your IP address to change twice before reaching the destination VPN server.ExpressVPN says it’s running a private DNS, but any VPN provider is going to need to do domain name resolving. So while other vendors don’t list “Private DNS” as a feature, they all need to be running a DNS as a consequence of their role in packet forwarding.Surfshark and NordVPN support P2P, allowing you to torrent your favorite Linux distros (and possibly other digital sharing activities of dubious legality, which we categorically do not recommend). ExpressVPN makes no mention of P2P.NordVPN has a few interesting features not provided by either ExpressVPN or Surfshark. NordVPN also provides Onion Over VPN, which allows you to use both the Onion anonymizer and Nord’s VPN together. NordVPN also allows you to buy a dedicated IP address, which can help if you’re dealing with anonymous servers or gaming connections. NordVPN also offers business plans.NordVPN and Surfshark offer malware and adware filtering, although Surfshark’s AdBlock VPN feature appears to be somewhat more comprehensive. Surfshark also offers what it calls Camouflage Mode, which the company says can prevent your local ISP from knowing you’re surfing using a VPN. While NordVPN has a blog post on whitelisting, they don’t appear to have whitelisting as an actual client feature. By contrast, Suftshark uses its split-tunneling feature as a whitelister.ExpressVPN has an interesting blog post about how it prevents its apps from getting malware but doesn’t offer malware protection or adware filtering for traffic run over its VPN network. All three vendors come to the game with most of the features you’d expect. Nord has a few more business-focused features while Surfshark has some features that may afford a limited degree of additional personal privacy — but this would need in-depth testing to truly validate. ExpressVPN appears to just be phoning it in.It’s a tight contest, but we’re awarding wins to both Surfshark and NordVPN. ExpressVPN just gets a participation award.

ExpressVPN vs. Surfshark vs. NordVPN: Your decision tree

So, how do you choose between the three?

Well, if you just count up the wins, Surfshark comes in first, then NordVPN, and then ExpressVPN. But the wins and losses aren’t particularly pronounced. Instead, we recommend you use this decision tree below. Before that, you might want to take a spin through The fastest VPN: NordVPN, Hotspot Shield, and ExpressVPN compared. We didn’t just test VPN provider performance in this in-depth analysis. We go out onto the internet, gather performance data from all across the Web, and let you know which provider is the best overall.So, now, let’s decide:If price is your top concern, Surfshark will save you about $30 over two years over NordVPN and nearly a hundred bucks over ExpressVPN.If predictably fast download performance is key, then NordVPN is more consistently fast in overall performance.If you need a VPN for a NAS appliance, then either NordVPN or ExpressVPN will do.If you want a VPN for your Xbox or PlayStation instead of a mobile device or mobile apps, choose Surfshark or ExpressVPN.If you want a VPN for something that’s not in the usual list, ExpressVPN is more likely to have a documented setup process.If you want a dedicated IP address or more business-oriented features, choose NordVPN.So, there you go. NordVPN and Surfshark have distinctly different personalities, but each do the job in their own way. It’s hard to get excited about ExpressVPN, except for its wide range of device support. NordVPN also seems the most predictable of the bunch.

How do these choices fit your needs? Have you chosen a VPN provider already? What capabilities and characteristics helped you to make up your mind.You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More