the anatomy of a breach - sans · the anatomy of a breach- agenda • the legitimate purchase •...

© 2013 Trustwave Holdings, Inc. 1

Jonathan Spruill

Senior Security Consultant, SpiderLabs

The Anatomy of a Breach Smart security on demand


The Anatomy of a Breach- Agenda

• The Legitimate Purchase

• Attackers Penetrate and Steal

• The Black Market

• Fraud

• Detection

• Investigation and Remediation

• The Hunt

• Conclusion


The Attack Du Jour

• This presentation focuses on the theft of Cardholder Data

• Data breaches are all the same, the only thing that changes is the

target data

• The means, and method are a constant

• Once that has been recognized, investigative strategies can be

developed to maximize response time and minimize delays

3

© 2013 Trustwave Holdings, Inc. 4 © 2012

THE ATTACKS


The Attacks - POS

• IT companies and POS Integrators often support their customers remotely,

this reduces their costs and allows them to support dozens of customers

from a single location.

• There are several programs available that make it very easy for IT

companies to work this way.

• Microsoft Remote Desktop

• PCAnywhere

• Virtual Network Connection (VNC)

• All very popular and cheap or free.

Remote Access


The Attacks - POS

• There are several major players in the Point of Sale

industry:

• Radiant/Aloha

• Micros

• PosiTouch

• Xpient

• Digital Dining

• Granbury/Firefly

• By default, they all have simple default usernames and

passwords.

Remote Access


The Attacks - POS

Remote Access

• Radiant/Aloha

• Micros

• PosiTouch

• Xpient

• Digital Dining

• Granbury/Firefly

• aloha:hello

• micros:micros or M1cr0s9700

• posi:posi

• support:support

• ddpos:ddpos

• term1:term1

• pos:pos


THE LEGITIMATE TRANSACTION Neighborhood Restaurant

POS Register Back of House Server

TXAUSTIN^SMITH$JOHN^1122 ELM ST

^?;63601234567855=151077441023?


^?;63601234567855=151077441023?


The Attacks - POS

Malware - Keyloggers

POS Register

B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?

• Card reader is usually a simple USB device that

is treated just like keyboard input.


The Attacks - POS

Malware – Memory and Process Scrapers

B3421682999620492^Roboto/Pantera^140910100000019301000000877000000

B3421133323698695^Zappa/Frank^090710100000019301000000877000000?;3421133323698695=0907101193010877?

B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?


MALWARE IS SERVED Neighborhood Restaurant

POS Register Back of House Server


^?;63601234567855=151077441023?


^?;63601234567855=151077441023?


EXAMPLE: POS MALWARE INFECTION A Large Fast Food Franchise

Franchise’s provider

uses default

username and

password for

POS remote

access.

Attackers gain

access to a single

location. Then find

IP address for all

locations.

All locations

breached. Custom

malware is

deployed.

Cardholder

data is

harvested for

7 months

before

discovery.


The Attacks - Ecommerce

• Remote Access

– ColdFusion Administrator, JBOSS, phpMyAdmin

• Coding flaws

– SQL Injection

– Local and Remote File Inclusion

– Unrestricted image uploads

The attack vectors and the malware change but the point is still the same - Harvest credit cards.


The Attacks - Ecommerce

• Stored data

– Bonus for attackers!

• 1.8 million is the current Trustwave record

– Weak or no encryption in place

• Code modifications are made

– Submit sends data to a file

– Or directly out to another server

Once access is gained, malware is installed or data is collected.


THE LEGITIMATE TRANSACTION Online Clothing Retailer

John Smith

1122 Elm St

Salem’s Lot ME

63601234567855

11/16

6464


MALWARE IS SERVED Online Clothing Retailer

John Smith

1122 Elm St

Salem’s Lot ME

63601234567855

11/16

6464


EXAMPLE: E-COMMERCE DATA BREACH

The schema is

identified. Even

though data is

encrypted, the

“decrypt” function is

a stored procedure.

A complex SQL

statement decrypts

the data and

outputs to file in the

“images” directory,

encoded and

renamed.

.

Attackers

navigates to the

“images”

directory, and

export the

harvested data.

Online Clothing Retailer

Improper input

validation allows

attacker to send

SQL statements

to the database.


THE BLACK MARKET


The Black Market

• Google “carding forum”

– The first 15 or so pages are hits for sites where you can create

an account, search for the type of cards you want to purchase

(Amex, Visa, MC…), and purchase the data for between $5

and $50.

– The big sites have started blending massive amounts of cards

from huge stored data breaches to make detection more

difficult.

The black market for credit card data is flourishing


“DUMPS” BUSINESS CYCLE

Hackers

Card Processor

Database

Major Retailer

Database

Major Dumps Vendors

Reseller Reseller

Street-level Customer






No Shortage of Dumps Vendors


Dump Sites

C13.cc


BadB’s fully automated dumps vending website


AUTOMATING STOLEN CARD SALES

• Dumps.name

• Trackservices.biz

• Zukkoshop.net

• CardRockCafe.biz

• Track2.name

• Cvvshop.com

• Cvv2shop.com

• Dumps.ws

• Darkservices.cc

• Autosell.cc

• FreshShop.su

• Mn0g0.su

• Hqcc.biz

• Cardt.ru

• CCshop.su

• Vaultmarket.org

• LTDcc.com

• Cvv2.su

• CC.am

• Killa.cc

• Bigseller.cc

• CCsell.biz


Plastics

Counterfeit Plastics


Plastics

So you bought yourself some track data and some nice plastic? Now what?


FRAUD


Fraud

• Sophisticated carders will have a fake ID made and will

use a high limit card. High end electronics are a

favorite.

– Usually high end goods that can be easily sold again on Ebay,

Amazon, Craigslist, etc…

• Ever seen that innocent sounding ad on Craigslist “I received 2

iPads for Christmas, selling one at a slight discount?

– Carder

• “My new roommate has the same brand-new Xbox as me, need to

sell one”

– Carder

Card Present


Fraud

• Another big scam related to CNP fraud is to run an Ebay shop

selling big heavy electronics like TV’s at a discount.

– Shopper buys product that the carder on the other end doesn’t

actually have.

• Carder makes fraudulent purchase from legitimate business like

Best Buy and ships directly to unwitting Ebay buyer who gets a

beautiful brand new TV.

– Airline tickets

• Another big CNP purchase, always for hot destinations like LAX to

Honolulu.

– “I bought these First Class tickets and now my wife and I can’t go,

please buy them at a discount”

Card Not Present


Fraud-ATM

• Particularly nasty breach of a prepaid card provider

– Globally orchestrated event

– Direct attacker access to cash

– Attackers maintained total control over a provider database and

manipulated balances and accounts over a holiday weekend.

– Access to balances, Account numbers, TRACK DATA, PIN

reset system

– Simple attack utilizing SQL Injection (OWASP #1)

– Millions and millions in multiple currencies stolen

ATM Cashouts


Fraud-ATM Profile of an ATM Cash Out Attack

Mexico

U.S.

Canada

Dominican Republic

UK

Russia

UAE

Japan

Estonia

Latvia

Italy

Germany

Ukraine

Pakistan

Sri Lanka

Spain

Egypt

Belgium

Romania

Thailand

Malaysia

Indonesia


PLAYERS


Threat Landscape

37


Threat Landscape

38


Threat Landscape

39


Threat Landscape

40

Dimitri Golubov


Threat Landscape

41

Max Butler

$2,000,000 in credit card theft

Sentenced to 13 years in prison


Threat Landscape

42

Albert Gonzalez

$170,000,000 in credit card, and ATM

fraud

Sentenced to 20 years in prison


Threat landscape

43

Lin Min Poo

Egor Shevelev

Dimitri Smilianets

Brian Salcedo


DETECTION


Detection Percentages


Detection - Self

• Customer spots malware or a lot of customers come in

saying their cards were stolen right after a

stay/meal/beer.

– Rare for a customer or antivirus to detect card stealing

malware

– Even more for customers to accurately say which business is

leaking their data.

Least common (only 24% of the time)


Detection-Law Enforcement

• Law Enforcement receives enough complaints about a

specific business to identify a Common Point, or

another case leads to a jump server and good old-

fashioned police work identifies more victim

businesses.

– Significantly more common than self-detection

– Usually much faster than the banks or card brands detection

Somewhat common


Detection- Banks or Card Brands

• This is the most common detection method

– Many local banks, especially Credit Unions, seem to pick up

fraud on their own customers accounts pretty quickly.

Unfortunately they are the exception.

• Visa, MC, Amex, Discover • All have their own proprietary monitoring systems to detect high

percentages of fraud.

– 210 day average time to detection

– Attack “blending” on the dump sites is hurting their ability to detect

– -Bad news - You are usually forced to hire me as a PFI


TIMELINE: INTRUSION TO CONTAINMENT

AVERAGE: 210 DAYS TO DETECTION

Businesses Slow to Detect


INVESTIGATION AND REMEDIATION


Most Attacked:

Web & Mobile Applications

TOP TARGET ASSETS


Malware Variations


THE HUNT


“I rob banks…what do you do?”

- John Dillinger

“Why do I rob banks?

Because that’s where the money is.”

- Willie Sutton

The Original “Original Gangsters”


The Hunt

Charles Williamson

A.K.A. “Guerilla Black”

Pled Guilty to federal

“Conspiracy, unauthorized

access to a protected

computer to facilitate fraud,

access device fraud, bank

fraud, and aggravated identity

theft” charges on July 9, 2013

– To be sentenced in October

2013.


The Hunt

Christopher Schroebel - 21

A.K.A. “Junkie”

Serving 7 years for

“Obtaining Information From a

Protected Computer”

Captured with 84,000 credit card

numbers in his possession.

Rolled on his homies


The Hunt

David Benjamin Schrooten

A.K.A. “Fortezza”

Dutch National

Head of the carding forum

“Kurupt.su”

Sentenced to 12 years after

pleading guilty to “Conspiracy

to Commit Access Device

Fraud and Bank Fraud,

Access Device Fraud, Bank

Fraud, Intentional Damage to

a Protected Computer, and

Aggravated Identity Theft.”


CONCLUSION


Conclusion

• Until it is either too risky to continue or the profit is

gone, financial cybercrime will continue to grow.

• The same methods used to attack businesses and

institutions that hold financial data are used against

those which hold classified data.

• Be proactive about protecting your assets, I don’t want

to see your data on pastebin.

• Join up! If you have skills to offer your local ECTF,

inquire about joining.


Resources

• Follow me or the Spiderlabs on Twitter

– @restrictedbytes

– @spiderlabs

• Download the 2014 GSR

– https://www.trustwave.com/gsr

• Read more about your local ECTF

– www.secretservice.gov/ectf.shtml

• Visit the Spiderlabs blog

– anterior.spiderlabs.com

https://www.trustwave.com/gsr

http://www.secretservice.gov/ectf.shtml


QUESTIONS?

the anatomy of a breach - sans · the anatomy of a breach- agenda • the legitimate purchase •...

Documents