Post on 05-May-2018
transcript
© 2013 Trustwave Holdings, Inc. 1
Jonathan Spruill
Senior Security Consultant, SpiderLabs
The Anatomy of a Breach Smart security on demand
© 2013 Trustwave Holdings, Inc. 2
The Anatomy of a Breach- Agenda
• The Legitimate Purchase
• Attackers Penetrate and Steal
• The Black Market
• Fraud
• Detection
• Investigation and Remediation
• The Hunt
• Conclusion
© 2013 Trustwave Holdings, Inc. 3
The Attack Du Jour
• This presentation focuses on the theft of Cardholder Data
• Data breaches are all the same, the only thing that changes is the
target data
• The means, and method are a constant
• Once that has been recognized, investigative strategies can be
developed to maximize response time and minimize delays
3
© 2013 Trustwave Holdings, Inc. 4 © 2012
THE ATTACKS
© 2013 Trustwave Holdings, Inc. 5
The Attacks - POS
• IT companies and POS Integrators often support their customers remotely,
this reduces their costs and allows them to support dozens of customers
from a single location.
• There are several programs available that make it very easy for IT
companies to work this way.
• Microsoft Remote Desktop
• PCAnywhere
• Virtual Network Connection (VNC)
• All very popular and cheap or free.
Remote Access
© 2013 Trustwave Holdings, Inc. 6
The Attacks - POS
• There are several major players in the Point of Sale
industry:
• Radiant/Aloha
• Micros
• PosiTouch
• Xpient
• Digital Dining
• Granbury/Firefly
• By default, they all have simple default usernames and
passwords.
Remote Access
© 2013 Trustwave Holdings, Inc. 7
The Attacks - POS
Remote Access
• Radiant/Aloha
• Micros
• PosiTouch
• Xpient
• Digital Dining
• Granbury/Firefly
• aloha:hello
• micros:micros or M1cr0s9700
• posi:posi
• support:support
• ddpos:ddpos
• term1:term1
• pos:pos
© 2013 Trustwave Holdings, Inc. 8
THE LEGITIMATE TRANSACTION Neighborhood Restaurant
POS Register Back of House Server
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
© 2013 Trustwave Holdings, Inc. 9
The Attacks - POS
Malware - Keyloggers
POS Register
B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?
• Card reader is usually a simple USB device that
is treated just like keyboard input.
© 2013 Trustwave Holdings, Inc. 10
The Attacks - POS
Malware – Memory and Process Scrapers
B3421682999620492^Roboto/Pantera^140910100000019301000000877000000
B3421133323698695^Zappa/Frank^090710100000019301000000877000000?;3421133323698695=0907101193010877?
B3421303621931843^Starscream/Jules^091010100000019301000000877000000?;3421303621931843=0910101193010877?
© 2013 Trustwave Holdings, Inc. 11
MALWARE IS SERVED Neighborhood Restaurant
POS Register Back of House Server
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
© 2013 Trustwave Holdings, Inc. 12
EXAMPLE: POS MALWARE INFECTION A Large Fast Food Franchise
Franchise’s provider
uses default
username and
password for
POS remote
access.
Attackers gain
access to a single
location. Then find
IP address for all
locations.
All locations
breached. Custom
malware is
deployed.
Cardholder
data is
harvested for
7 months
before
discovery.
© 2013 Trustwave Holdings, Inc. 13
The Attacks - Ecommerce
• Remote Access
– ColdFusion Administrator, JBOSS, phpMyAdmin
• Coding flaws
– SQL Injection
– Local and Remote File Inclusion
– Unrestricted image uploads
The attack vectors and the malware change but the point is still the same - Harvest credit cards.
© 2013 Trustwave Holdings, Inc. 14
The Attacks - Ecommerce
• Stored data
– Bonus for attackers!
• 1.8 million is the current Trustwave record
– Weak or no encryption in place
• Code modifications are made
– Submit sends data to a file
– Or directly out to another server
Once access is gained, malware is installed or data is collected.
© 2013 Trustwave Holdings, Inc. 15
THE LEGITIMATE TRANSACTION Online Clothing Retailer
John Smith
1122 Elm St
Salem’s Lot ME
63601234567855
11/16
6464
© 2013 Trustwave Holdings, Inc. 16
MALWARE IS SERVED Online Clothing Retailer
John Smith
1122 Elm St
Salem’s Lot ME
63601234567855
11/16
6464
© 2013 Trustwave Holdings, Inc. 17
EXAMPLE: E-COMMERCE DATA BREACH
The schema is
identified. Even
though data is
encrypted, the
“decrypt” function is
a stored procedure.
A complex SQL
statement decrypts
the data and
outputs to file in the
“images” directory,
encoded and
renamed.
.
Attackers
navigates to the
“images”
directory, and
export the
harvested data.
Online Clothing Retailer
Improper input
validation allows
attacker to send
SQL statements
to the database.
© 2013 Trustwave Holdings, Inc. 18 © 2012
THE BLACK MARKET
© 2013 Trustwave Holdings, Inc. 19
The Black Market
• Google “carding forum”
– The first 15 or so pages are hits for sites where you can create
an account, search for the type of cards you want to purchase
(Amex, Visa, MC…), and purchase the data for between $5
and $50.
– The big sites have started blending massive amounts of cards
from huge stored data breaches to make detection more
difficult.
The black market for credit card data is flourishing
© 2013 Trustwave Holdings, Inc. 20
“DUMPS” BUSINESS CYCLE
Hackers
Card Processor
Database
Major Retailer
Database
Major Dumps Vendors
Reseller Reseller
Street-level Customer
Street-level Customer
Street-level Customer
Street-level Customer
Street-level Customer
© 2013 Trustwave Holdings, Inc. 21
No Shortage of Dumps Vendors
© 2013 Trustwave Holdings, Inc. 22
Dump Sites
C13.cc
© 2013 Trustwave Holdings, Inc. 23
Dump Sites
C13.cc
© 2013 Trustwave Holdings, Inc. 24
© 2013 Trustwave Holdings, Inc. 25
BadB’s fully automated dumps vending website
© 2013 Trustwave Holdings, Inc. 26
AUTOMATING STOLEN CARD SALES
• Dumps.name
• Trackservices.biz
• Zukkoshop.net
• CardRockCafe.biz
• Track2.name
• Cvvshop.com
• Cvv2shop.com
• Dumps.ws
• Darkservices.cc
• Autosell.cc
• FreshShop.su
• Mn0g0.su
• Hqcc.biz
• Cardt.ru
• CCshop.su
• Vaultmarket.org
• LTDcc.com
• Cvv2.su
• CC.am
• Killa.cc
• Bigseller.cc
• CCsell.biz
© 2013 Trustwave Holdings, Inc. 27
Plastics
Counterfeit Plastics
© 2013 Trustwave Holdings, Inc. 28
Plastics
So you bought yourself some track data and some nice plastic? Now what?
© 2013 Trustwave Holdings, Inc. 29 © 2012
FRAUD
© 2013 Trustwave Holdings, Inc. 30
Fraud
• Sophisticated carders will have a fake ID made and will
use a high limit card. High end electronics are a
favorite.
– Usually high end goods that can be easily sold again on Ebay,
Amazon, Craigslist, etc…
• Ever seen that innocent sounding ad on Craigslist “I received 2
iPads for Christmas, selling one at a slight discount?
– Carder
• “My new roommate has the same brand-new Xbox as me, need to
sell one”
– Carder
Card Present
© 2013 Trustwave Holdings, Inc. 31
Fraud
• Another big scam related to CNP fraud is to run an Ebay shop
selling big heavy electronics like TV’s at a discount.
– Shopper buys product that the carder on the other end doesn’t
actually have.
• Carder makes fraudulent purchase from legitimate business like
Best Buy and ships directly to unwitting Ebay buyer who gets a
beautiful brand new TV.
– Airline tickets
• Another big CNP purchase, always for hot destinations like LAX to
Honolulu.
– “I bought these First Class tickets and now my wife and I can’t go,
please buy them at a discount”
Card Not Present
© 2013 Trustwave Holdings, Inc. 32
Fraud-ATM
• Particularly nasty breach of a prepaid card provider
– Globally orchestrated event
– Direct attacker access to cash
– Attackers maintained total control over a provider database and
manipulated balances and accounts over a holiday weekend.
– Access to balances, Account numbers, TRACK DATA, PIN
reset system
– Simple attack utilizing SQL Injection (OWASP #1)
– Millions and millions in multiple currencies stolen
ATM Cashouts
© 2013 Trustwave Holdings, Inc. 33
Fraud-ATM Profile of an ATM Cash Out Attack
Mexico
U.S.
Canada
Dominican Republic
UK
Russia
UAE
Japan
Estonia
Latvia
Italy
Germany
Ukraine
Pakistan
Sri Lanka
Spain
Egypt
Belgium
Romania
Thailand
Malaysia
Indonesia
© 2013 Trustwave Holdings, Inc. 34 © 2012
PLAYERS
© 2013 Trustwave Holdings, Inc. 37
Threat Landscape
37
© 2013 Trustwave Holdings, Inc. 38
Threat Landscape
38
© 2013 Trustwave Holdings, Inc. 39
Threat Landscape
39
© 2013 Trustwave Holdings, Inc. 40
Threat Landscape
40
Dimitri Golubov
© 2013 Trustwave Holdings, Inc. 41
Threat Landscape
41
Max Butler
$2,000,000 in credit card theft
Sentenced to 13 years in prison
© 2013 Trustwave Holdings, Inc. 42
Threat Landscape
42
Albert Gonzalez
$170,000,000 in credit card, and ATM
fraud
Sentenced to 20 years in prison
© 2013 Trustwave Holdings, Inc. 43
Threat landscape
43
Lin Min Poo
Egor Shevelev
Dimitri Smilianets
Brian Salcedo
© 2013 Trustwave Holdings, Inc. 44 © 2012
DETECTION
© 2013 Trustwave Holdings, Inc. 45
Detection Percentages
© 2013 Trustwave Holdings, Inc. 46
Detection - Self
• Customer spots malware or a lot of customers come in
saying their cards were stolen right after a
stay/meal/beer.
– Rare for a customer or antivirus to detect card stealing
malware
– Even more for customers to accurately say which business is
leaking their data.
Least common (only 24% of the time)
© 2013 Trustwave Holdings, Inc. 47
Detection-Law Enforcement
• Law Enforcement receives enough complaints about a
specific business to identify a Common Point, or
another case leads to a jump server and good old-
fashioned police work identifies more victim
businesses.
– Significantly more common than self-detection
– Usually much faster than the banks or card brands detection
Somewhat common
© 2013 Trustwave Holdings, Inc. 48
Detection- Banks or Card Brands
• This is the most common detection method
– Many local banks, especially Credit Unions, seem to pick up
fraud on their own customers accounts pretty quickly.
Unfortunately they are the exception.
• Visa, MC, Amex, Discover • All have their own proprietary monitoring systems to detect high
percentages of fraud.
– 210 day average time to detection
– Attack “blending” on the dump sites is hurting their ability to detect
– -Bad news - You are usually forced to hire me as a PFI
© 2013 Trustwave Holdings, Inc. 49
TIMELINE: INTRUSION TO CONTAINMENT
AVERAGE: 210 DAYS TO DETECTION
Businesses Slow to Detect
© 2013 Trustwave Holdings, Inc. 50 © 2012
INVESTIGATION AND REMEDIATION
© 2013 Trustwave Holdings, Inc. 51
Most Attacked:
Web & Mobile Applications
TOP TARGET ASSETS
© 2013 Trustwave Holdings, Inc. 52
Malware Variations
© 2013 Trustwave Holdings, Inc. 53 © 2012
THE HUNT
© 2013 Trustwave Holdings, Inc. 54
“I rob banks…what do you do?”
- John Dillinger
“Why do I rob banks?
Because that’s where the money is.”
- Willie Sutton
The Original “Original Gangsters”
© 2013 Trustwave Holdings, Inc. 55
The Hunt
Charles Williamson
A.K.A. “Guerilla Black”
Pled Guilty to federal
“Conspiracy, unauthorized
access to a protected
computer to facilitate fraud,
access device fraud, bank
fraud, and aggravated identity
theft” charges on July 9, 2013
– To be sentenced in October
2013.
© 2013 Trustwave Holdings, Inc. 56
The Hunt
Christopher Schroebel - 21
A.K.A. “Junkie”
Serving 7 years for
“Obtaining Information From a
Protected Computer”
Captured with 84,000 credit card
numbers in his possession.
Rolled on his homies
© 2013 Trustwave Holdings, Inc. 57
The Hunt
David Benjamin Schrooten
A.K.A. “Fortezza”
Dutch National
Head of the carding forum
“Kurupt.su”
Sentenced to 12 years after
pleading guilty to “Conspiracy
to Commit Access Device
Fraud and Bank Fraud,
Access Device Fraud, Bank
Fraud, Intentional Damage to
a Protected Computer, and
Aggravated Identity Theft.”
© 2013 Trustwave Holdings, Inc. 58 © 2012
CONCLUSION
© 2013 Trustwave Holdings, Inc. 59
Conclusion
• Until it is either too risky to continue or the profit is
gone, financial cybercrime will continue to grow.
• The same methods used to attack businesses and
institutions that hold financial data are used against
those which hold classified data.
• Be proactive about protecting your assets, I don’t want
to see your data on pastebin.
• Join up! If you have skills to offer your local ECTF,
inquire about joining.
© 2013 Trustwave Holdings, Inc. 60
Resources
• Follow me or the Spiderlabs on Twitter
– @restrictedbytes
– @spiderlabs
• Download the 2014 GSR
– https://www.trustwave.com/gsr
• Read more about your local ECTF
– www.secretservice.gov/ectf.shtml
• Visit the Spiderlabs blog
– anterior.spiderlabs.com
© 2013 Trustwave Holdings, Inc. 61 © 2012
QUESTIONS?