Krebs says he recently began hearing from sources at several banks about a pattern of credit and debit card fraud in which all impacted cards had been recently used at one of Bebe's 200 locations across the United States.
A source at an East Coast bank told Krebs that a batch of cards offered for sale earlier this week at the online cybercrime shop Goodshop for $10 to $27 per card had all been used at U.S. Bebe locations between November 18 and November 28, 2014.
"It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014," Krebs notes.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Krebs also says there's no indication that the apparent breach impacts online purchases. "The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines," he writes.
The stolen data is then sold on cybercrime sites like Goodshop, and used by criminals to create fraudulent cards.
Tod Beardsley, Metasploit engineering manager at Rapid7, told eSecurity Planet that the Bebe breach demonstrates that criminal organizations are getting better at locating and exploiting targets in the retail sector.
"The plain facts are that credit card magnetic stripe systems are embarrassingly old technologies and should be phased with all possible haste, point of sale systems and back-end payment processing systems are not getting sufficient attention from professional information security auditors and practitioners, and major retails generally do not publish or share their lessons learned as a normal part of their breach recovery," Beardsley said. "Until these failures are addressed, there is no reason to think these attacks will slow down any time soon."
Anyone who recently shopped at Bebe, Beardsley said, should review their bank and credit card statements for fraudulent activity, and should contact Bebe customer relations for more information on the reported breach.
"Of course, consumers should also routinely review their bank statements to look for mysterious charges," Beardsley added. "After all, this is unlikely to be the last reported attack on a major retailer."