the anatomy of a breach - sans · the anatomy of a breach- agenda • the legitimate purchase •...

Jonathan Spruill

Senior Security Consultant, SpiderLabs

The Anatomy of a Breach Smart security on demand

The Anatomy of a Breach- Agenda

• The Legitimate Purchase

• Attackers Penetrate and Steal

• The Black Market

• Fraud

• Detection

• Investigation and Remediation

• The Hunt

• Conclusion

The Attack Du Jour

• This presentation focuses on the theft of Cardholder Data

• Data breaches are all the same, the only thing that changes is the

target data

• The means, and method are a constant

• Once that has been recognized, investigative strategies can be

developed to maximize response time and minimize delays

THE ATTACKS

The Attacks - POS

• IT companies and POS Integrators often support their customers remotely,

this reduces their costs and allows them to support dozens of customers

from a single location.

• There are several programs available that make it very easy for IT

companies to work this way.

• Microsoft Remote Desktop

• PCAnywhere

• Virtual Network Connection (VNC)

• All very popular and cheap or free.

Remote Access

The Attacks - POS

• There are several major players in the Point of Sale

industry:

• Radiant/Aloha

• Micros

• PosiTouch

• Xpient

• Digital Dining

• Granbury/Firefly

• By default, they all have simple default usernames and

passwords.

Remote Access

The Attacks - POS

Remote Access

• Radiant/Aloha

• Micros

• PosiTouch

• Xpient

• Digital Dining

• Granbury/Firefly

• aloha:hello

• micros:micros or M1cr0s9700

• posi:posi

• support:support

• ddpos:ddpos

• term1:term1

• pos:pos

THE LEGITIMATE TRANSACTION Neighborhood Restaurant

POS Register Back of House Server

TXAUSTIN^SMITH$JOHN^1122 ELM ST

^?;63601234567855=151077441023?

The Attacks - POS

Malware - Keyloggers

POS Register

B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?

• Card reader is usually a simple USB device that

is treated just like keyboard input.

The Attacks - POS

Malware – Memory and Process Scrapers

B3421682999620492^Roboto/Pantera^140910100000019301000000877000000

B3421133323698695^Zappa/Frank^090710100000019301000000877000000?;3421133323698695=0907101193010877?

B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?

MALWARE IS SERVED Neighborhood Restaurant

POS Register Back of House Server

^?;63601234567855=151077441023?

EXAMPLE: POS MALWARE INFECTION A Large Fast Food Franchise

Franchise’s provider

uses default

username and

password for

POS remote

access.

Attackers gain

access to a single

location. Then find

IP address for all

locations.

All locations

breached. Custom

malware is

deployed.

Cardholder

data is

harvested for

7 months

before

discovery.

The Attacks - Ecommerce

• Remote Access

– ColdFusion Administrator, JBOSS, phpMyAdmin

• Coding flaws

– SQL Injection

– Local and Remote File Inclusion

– Unrestricted image uploads

The attack vectors and the malware change but the point is still the same - Harvest credit cards.

The Attacks - Ecommerce

• Stored data

– Bonus for attackers!

• 1.8 million is the current Trustwave record

– Weak or no encryption in place

• Code modifications are made

– Submit sends data to a file

– Or directly out to another server

Once access is gained, malware is installed or data is collected.

THE LEGITIMATE TRANSACTION Online Clothing Retailer

John Smith

1122 Elm St

Salem’s Lot ME

63601234567855

MALWARE IS SERVED Online Clothing Retailer

John Smith

1122 Elm St

Salem’s Lot ME

63601234567855

EXAMPLE: E-COMMERCE DATA BREACH

The schema is

identified. Even

though data is

encrypted, the

“decrypt” function is

a stored procedure.

A complex SQL

statement decrypts

the data and

outputs to file in the

“images” directory,

encoded and

renamed.

Attackers

navigates to the

“images”

directory, and

export the

harvested data.

Online Clothing Retailer

Improper input

validation allows

attacker to send

SQL statements

to the database.

THE BLACK MARKET

The Black Market

• Google “carding forum”

– The first 15 or so pages are hits for sites where you can create

an account, search for the type of cards you want to purchase

(Amex, Visa, MC…), and purchase the data for between $5

and $50.

– The big sites have started blending massive amounts of cards

from huge stored data breaches to make detection more

difficult.

The black market for credit card data is flourishing

“DUMPS” BUSINESS CYCLE

Hackers

Card Processor

Database

Major Retailer

Database

Major Dumps Vendors

Reseller Reseller

Street-level Customer

No Shortage of Dumps Vendors

Dump Sites

C13.cc

Dump Sites

C13.cc

BadB’s fully automated dumps vending website

AUTOMATING STOLEN CARD SALES

• Dumps.name

• Trackservices.biz

• Zukkoshop.net

• CardRockCafe.biz

• Track2.name

• Cvvshop.com

• Cvv2shop.com

• Dumps.ws

• Darkservices.cc

• Autosell.cc

• FreshShop.su

• Mn0g0.su

• Hqcc.biz

• Cardt.ru

• CCshop.su

• Vaultmarket.org

• LTDcc.com

• Cvv2.su

• CC.am

• Killa.cc

• Bigseller.cc

• CCsell.biz

Plastics

Counterfeit Plastics

Plastics

So you bought yourself some track data and some nice plastic? Now what?

• Sophisticated carders will have a fake ID made and will

use a high limit card. High end electronics are a

favorite.

– Usually high end goods that can be easily sold again on Ebay,

Amazon, Craigslist, etc…

• Ever seen that innocent sounding ad on Craigslist “I received 2

iPads for Christmas, selling one at a slight discount?

– Carder

• “My new roommate has the same brand-new Xbox as me, need to

sell one”

– Carder

Card Present

• Another big scam related to CNP fraud is to run an Ebay shop

selling big heavy electronics like TV’s at a discount.

– Shopper buys product that the carder on the other end doesn’t

actually have.

• Carder makes fraudulent purchase from legitimate business like

Best Buy and ships directly to unwitting Ebay buyer who gets a

beautiful brand new TV.

– Airline tickets

• Another big CNP purchase, always for hot destinations like LAX to

Honolulu.

– “I bought these First Class tickets and now my wife and I can’t go,

please buy them at a discount”

Card Not Present

Fraud-ATM

• Particularly nasty breach of a prepaid card provider

– Globally orchestrated event

– Direct attacker access to cash

– Attackers maintained total control over a provider database and

manipulated balances and accounts over a holiday weekend.

– Access to balances, Account numbers, TRACK DATA, PIN

reset system

– Simple attack utilizing SQL Injection (OWASP #1)

– Millions and millions in multiple currencies stolen

ATM Cashouts

Fraud-ATM Profile of an ATM Cash Out Attack

Mexico

Canada

Dominican Republic

Russia

Estonia

Latvia

Germany

Ukraine

Pakistan

Sri Lanka

Belgium

Romania

Thailand

Malaysia

Indonesia

PLAYERS

Threat Landscape

Dimitri Golubov

Threat Landscape

Max Butler

$2,000,000 in credit card theft

Sentenced to 13 years in prison

Threat Landscape

Albert Gonzalez

$170,000,000 in credit card, and ATM

Sentenced to 20 years in prison

Threat landscape

Lin Min Poo

Egor Shevelev

Dimitri Smilianets

Brian Salcedo

DETECTION

Detection Percentages

Detection - Self

• Customer spots malware or a lot of customers come in

saying their cards were stolen right after a

stay/meal/beer.

– Rare for a customer or antivirus to detect card stealing

malware

– Even more for customers to accurately say which business is

leaking their data.

Least common (only 24% of the time)

Detection-Law Enforcement

• Law Enforcement receives enough complaints about a

specific business to identify a Common Point, or

another case leads to a jump server and good old-

fashioned police work identifies more victim

businesses.

– Significantly more common than self-detection

– Usually much faster than the banks or card brands detection

Somewhat common

Detection- Banks or Card Brands

• This is the most common detection method

– Many local banks, especially Credit Unions, seem to pick up

fraud on their own customers accounts pretty quickly.

Unfortunately they are the exception.

• Visa, MC, Amex, Discover • All have their own proprietary monitoring systems to detect high

percentages of fraud.

– 210 day average time to detection

– Attack “blending” on the dump sites is hurting their ability to detect

– -Bad news - You are usually forced to hire me as a PFI

TIMELINE: INTRUSION TO CONTAINMENT

AVERAGE: 210 DAYS TO DETECTION

Businesses Slow to Detect

INVESTIGATION AND REMEDIATION

Most Attacked:

Web & Mobile Applications

TOP TARGET ASSETS

Malware Variations

THE HUNT

“I rob banks…what do you do?”

- John Dillinger

“Why do I rob banks?

Because that’s where the money is.”

- Willie Sutton

The Original “Original Gangsters”

The Hunt

Charles Williamson

A.K.A. “Guerilla Black”

Pled Guilty to federal

“Conspiracy, unauthorized

access to a protected

computer to facilitate fraud,

access device fraud, bank

fraud, and aggravated identity

theft” charges on July 9, 2013

– To be sentenced in October

The Hunt

Christopher Schroebel - 21

A.K.A. “Junkie”

Serving 7 years for

“Obtaining Information From a

Protected Computer”

Captured with 84,000 credit card

numbers in his possession.

Rolled on his homies

The Hunt

David Benjamin Schrooten

A.K.A. “Fortezza”

Dutch National

Head of the carding forum

“Kurupt.su”

Sentenced to 12 years after

pleading guilty to “Conspiracy

to Commit Access Device

Fraud and Bank Fraud,

Access Device Fraud, Bank

Fraud, Intentional Damage to

a Protected Computer, and

Aggravated Identity Theft.”

CONCLUSION

Conclusion

• Until it is either too risky to continue or the profit is

gone, financial cybercrime will continue to grow.

• The same methods used to attack businesses and

institutions that hold financial data are used against

those which hold classified data.

• Be proactive about protecting your assets, I don’t want

to see your data on pastebin.

• Join up! If you have skills to offer your local ECTF,

inquire about joining.

Resources

• Follow me or the Spiderlabs on Twitter

– @restrictedbytes

– @spiderlabs

• Download the 2014 GSR

– https://www.trustwave.com/gsr

• Read more about your local ECTF

– www.secretservice.gov/ectf.shtml

• Visit the Spiderlabs blog

– anterior.spiderlabs.com

QUESTIONS?

the anatomy of a breach - sans · the anatomy of a breach- agenda • the legitimate purchase •...

Documents

anatomy of a breach - enterprise-guide.s3.amazonaws.com ·...

cyber crime the anatomy of the hack€¦ · cyber crime the...

anatomy of a hipaa breach maureen dagostino svp, quality,...

before the breach: using threat intelligence to stop...

anatomy of a breach - info.microsoft.com

state of the hack - university of central florida...anatomy...

cyberark: the cyber attackers’ playbook the cyber...

dealing with attackers

anatomy of comment spam - imperva · anatomy of comment...

google gears for attackers

the target breach: anatomy of an attack

anatomy of a data breach - txc – intranet...anatomy of a...

bank attackers - core se...bank attackers © core 2012

anatomy of a sernior living cyber breach final...

mining attackers mind

anatomy of a data breach - iapp · pdf fileanatomy of a data...

the anatomy of a cyber policy - imc-seminars.com of... ·...

losing the privacy war - national cyberwatch center ·...

the anatomy of a cloud data breach

$3.5m the average cost of a data breach to a company 243 the...