A Peek Into the Carding Underground A Peek Into the Carding
Transcription
A Peek Into the Carding Underground A Peek Into the Carding
5/26/2015 A Peek Into the Carding Underground A Peek Into the Carding Underground 2015 CLM Arizona Chapter Educational & Networking Event Grayson Lenik Director, Incident Response and Digital Forensics Nuix, Cyber Threat Analysis Team June 17, 2015 The Phoenician Resort www.theclm.org Bio • Agenda Speaker at DEFCON 19, SECTOR 2011-2014, ECSAP, NetDiligence Cyber • • • • • Risk Forum, and many others. • Member of the LA and Seattle Secret Service Electronic Crimes Task Force (ECTF) • Trained Local, Federal and International Law Enforcement Agencies in digital forensics practice and methodology. • The Legitimate Purchase Attacks in Action The Black Market The Grey Market Conclusion GIAC Certified Forensic Analyst (GCFA), Microsoft Certified Systems Engineer (MCSE), Qualified Security Assessor (QSA) • Author of the Digital Forensics blog “An Eye on Forensics” www.theclm.org www.theclm.org Legitimate Transactions Trust Issues Your neighborhood bar or restaurant • When we hand over our cards, we trust that the merchants have taken reasonable precautions to protect data and vet their employees. • In reality, they are in the business of preparing and serving meals and drinks. • And sometimes skimming credit cards. TXAUSTIN^SMITH$JOHN^1122 ELM ST ^?;63601234567855=151077441023? POS Register TXAUSTIN^SMITH$JOHN^1122 ELM ST ^?;63601234567855=151077441023? Back of House Server www.theclm.org 5 www.theclm.org 1 5/26/2015 Outdated Tech Magstripe Data • Restaurant Managers are not IT Security professionals. • Neither are (most) of the people hired to set up POS systems. • Track Data TXAUSTIN^SMITH$JOHN^1122 ELM ST ^?;63601234567855=151077441023? • The data recorded on the magnetic stripe on the back of every payment card. • With it, you can create counterfeit cards using simple hardware and software. www.theclm.org www.theclm.org Legitimate Transactions Ecommerce Ecommerce • More than 1.2 trillion $USD in 2013 John Smith 1122 Elm St Salem’s Lot ME • 40% of worldwide internet users purchase online 63601234567855 11/16 6464 http://www.statista.com/markets/413/e-commerce/ www.theclm.org www.theclm.org 9 System Administration 101 PCI Compliance • Ecommerce web servers are often built quickly • Requirement 3.2 “Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.” • Personal Record – 1.8 Million unique records in a single database. • Difficult to customize • Once it’s “right”, never touched again • Proliferation of free (see:buggy) shopping cart software www.theclm.org www.theclm.org 2 5/26/2015 CVV2/CID/CVC2 The Attacks - POS Remote Access • Printed 3 or 4 digit numbers on the front or back of the card • Needed for online shopping (card not present) transactions. • IT companies and POS Integrators often support their customers remotely, this reduces their costs and allows them to support dozens of customers from a single location. • There are several programs available that make it very easy for IT companies to work this way. • Microsoft Remote Desktop • PCAnywhere • Virtual Network Connection (VNC) • With it, you don’t even need a counterfeit card, just the account number and expiration. • All very popular and cheap or free. www.theclm.org The Attacks - POS www.theclm.org 14 www.theclm.org 16 The Attacks - POS Remote Access Malware – Memory and Process Scrapers • There are several major players in the Point of Sale industry • By default, they all have simple default usernames and passwords. • • • • • • Radiant/Aloha Micros PosiTouch Xpient Digital Dining Granbury/Firefly B3421303621931843^Starscream/Jules^091010100000019 301000000877000000?;3421303621931843=0910101193010 877? aloha:hello micros:micros or M1cr0s9700 posi:posi support:support ddpos:ddpos term1:term1 or pos:pos B3421682999620492^Roboto/Pantera^140910100000019 301000000877000000 B3421133323698695^Zappa/Frank^0907101000000193010 00000877000000?;3421133323698695=0907101193010877 ? www.theclm.org 15 The Attacks - Ecommerce The Attacks - Ecommerce The attack vectors and the malware change but the point is still the same - Harvest credit cards. Once access is gained, malware is installed or data is collected. • Remote Access • Stored data – ColdFusion Administrator, JBOSS, phpMyAdmin – Bonus for attackers! – Weak or no encryption in place • “encrypt_db.php” • Coding flaws – SQL Injection – Local and Remote File Inclusion – Unrestricted image uploads • Code modifications are made – Submit sends data to a file – Or directly out to another server www.theclm.org 17 www.theclm.org 18 3 5/26/2015 The Black Market The Black Market The black market for credit card data is flourishing C13.cc • Google “carding forum” – The first 15 or so pages are hits for sites where you can create an account, search for the type of cards you want to purchase (Amex, Visa, MC…), and purchase the data for between $5 and $50. – The big sites have started blending massive amounts of cards from huge stored data breaches to make detection more difficult. www.theclm.org 19 The Black Market www.theclm.org 20 www.theclm.org 22 The Grey Market C13.cc Counterfeit Plastics www.theclm.org 21 Q&A The Grey Market So you bought yourself some track data and some nice plastic? Now what? THANK YOU! Grayson Lenik Director, DFIR Nuix Cyber Threat Analysis Grayson.lenik@nuix.com @handlefree www.theclm.org 23 www.theclm.org 4