Forever 21 Investigates Possible Data Breach After Third-Party Tip

This week, the Alert Logic team highlights the Forever 21 data breach investigation and how the IcedID banking trojan is affecting financial institutions. Read the full report to learn more and get access to the week’s Top Malicious IP addresses.

Data Breach

Forever 21 Investigates Possible Data Breach After Third-Party Tip

US-based clothing retailer Forever 21 is investigating a potential data breach after receiving a third-party tip on Tuesday of unauthorized data access in a number of their outlets. One cyber forensics firm working with the retailer in this investigation discovered a deployment issue back in 2015. When the company introduced encryption and improved security systems into their stores, some locations were at the time not in full security operation and potential compromise may have taken place during this grace period.

The company is continuing their investigation into the matter, focusing on transactions made in store from March to October of this year. Customers have been advised to keep watch of any unexpected banking and credit card activity.

References:  Forever 21 clothing stores hit by credit card data breach after encryption failure | Forever 21 investigating possible data breach

Mitigation Strategies:

Malware

IcedID Banking Trojan Affects Financial Institutions Across US, UK, and Canada

Spotted by IBM X-Force Research back in September, the IcedID banking trojan has been affecting financial institutions including banks, payment card providers, mobile service providers, and e-commerce sites. Like other banking trojans Zeus, Gozi, and Dridex, IcedID is similar in its manipulation tactics, using both redirection and web injection, but does not derive code from these examples.

IcedID is delivered via the botnet infrastructure EMOTET, one of the notable malware distribution methods of 2017. Once a user opens their internet browser, a configuration file containing the trojan’s targets is downloaded from a C&C server. IcedID then sets up a local proxy running on port 49157, which then funnels web traffic to a fake site to collect user credentials. These pages mimic the look and feel of legitimate banking websites, displaying the correct URLs and SSL certificates.

IcedID can be stopped by multilayered security solutions as the trojan lacks anti-virtual machine and anti-research techniques.

References: New Banking Trojan IcedID Discovered by IBM X-Force Research | IcedID Banking Trojan Targets US Financial Institutions

Mitigation Strategies:

Security Insights

More Security Insights and Industry News

Check out our new blog posts, plus you can follow the blog on our social media outlets.

This Week's Suspicious IP Addresses

6.0.100.75 1.11.1.40
188.209.52.129 131.107.255.255
185.94.111.1 185.35.63.131

*IP addresses provided by Recorded Future.