A Peek Into the Carding Underground A Peek Into the Carding

5/26/2015
A Peek Into the Carding
Underground
A Peek Into the Carding
Underground
2015 CLM Arizona Chapter Educational &
Networking Event
Grayson Lenik
Director, Incident Response and Digital Forensics
Nuix, Cyber Threat Analysis Team
June 17, 2015
The Phoenician Resort
www.theclm.org
Bio
•
Agenda
Speaker at DEFCON 19, SECTOR 2011-2014, ECSAP, NetDiligence Cyber
•
•
•
•
•
Risk Forum, and many others.
•
Member of the LA and Seattle Secret Service Electronic Crimes Task Force
(ECTF)
•
Trained Local, Federal and International Law Enforcement Agencies in
digital forensics practice and methodology.
•
The Legitimate Purchase
Attacks in Action
The Black Market
The Grey Market
Conclusion
GIAC Certified Forensic Analyst (GCFA), Microsoft Certified Systems
Engineer (MCSE), Qualified Security Assessor (QSA)
•
Author of the Digital Forensics blog “An Eye on Forensics”
www.theclm.org
www.theclm.org
Legitimate Transactions
Trust Issues
Your neighborhood bar or restaurant
• When we hand over our cards, we trust that the merchants
have taken reasonable precautions to protect data and vet
their employees.
• In reality, they are in the business of preparing and serving
meals and drinks.
• And sometimes skimming credit cards.
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
POS Register
TXAUSTIN^SMITH$JOHN^1122 ELM ST
^?;63601234567855=151077441023?
Back of House Server
www.theclm.org
5
www.theclm.org
1
5/26/2015
Outdated Tech
Magstripe Data
• Restaurant Managers are not IT Security professionals.
• Neither are (most) of the people hired to set up POS systems.
• Track Data
TXAUSTIN^SMITH$JOHN^1122 ELM ST ^?;63601234567855=151077441023?
• The data recorded on the magnetic stripe on the
back of every payment card.
• With it, you can create counterfeit cards using simple
hardware and software.
www.theclm.org
www.theclm.org
Legitimate Transactions
Ecommerce
Ecommerce
• More than 1.2 trillion $USD in 2013
John Smith
1122 Elm St
Salem’s Lot ME
• 40% of worldwide internet users purchase online
63601234567855
11/16
6464
http://www.statista.com/markets/413/e-commerce/
www.theclm.org
www.theclm.org
9
System Administration 101
PCI Compliance
• Ecommerce web servers are often built quickly
• Requirement 3.2 “Do not store sensitive
authentication data after authorization (even
if encrypted). If sensitive authentication data
is received, render all data unrecoverable
upon completion of the authorization
process.”
• Personal Record – 1.8 Million unique records
in a single database.
• Difficult to customize
• Once it’s “right”, never touched again
• Proliferation of free (see:buggy) shopping cart
software
www.theclm.org
www.theclm.org
2
5/26/2015
CVV2/CID/CVC2
The Attacks - POS
Remote Access
• Printed 3 or 4 digit numbers on the front or back of
the card
• Needed for online shopping (card not present)
transactions.
•
IT companies and POS Integrators often support their customers remotely, this
reduces their costs and allows them to support dozens of customers from a
single location.
•
There are several programs available that make it very easy for IT companies to
work this way.
• Microsoft Remote Desktop
• PCAnywhere
• Virtual Network Connection (VNC)
• With it, you don’t even need a counterfeit card, just
the account number and expiration.
•
All very popular and cheap or free.
www.theclm.org
The Attacks - POS
www.theclm.org
14
www.theclm.org
16
The Attacks - POS
Remote Access
Malware – Memory and Process Scrapers
• There are several major players in the Point of Sale industry
•
By default, they all have simple default usernames and passwords.
•
•
•
•
•
•
Radiant/Aloha
Micros
PosiTouch
Xpient
Digital Dining
Granbury/Firefly
B3421303621931843^Starscream/Jules^091010100000019
301000000877000000?;3421303621931843=0910101193010
877?
aloha:hello
micros:micros or M1cr0s9700
posi:posi
support:support
ddpos:ddpos
term1:term1 or pos:pos
B3421682999620492^Roboto/Pantera^140910100000019
301000000877000000
B3421133323698695^Zappa/Frank^0907101000000193010
00000877000000?;3421133323698695=0907101193010877
?
www.theclm.org
15
The Attacks - Ecommerce
The Attacks - Ecommerce
The attack vectors and the malware change but the point is
still the same - Harvest credit cards.
Once access is gained, malware is installed or data is
collected.
• Remote Access
• Stored data
– ColdFusion Administrator, JBOSS, phpMyAdmin
– Bonus for attackers!
– Weak or no encryption in place
• “encrypt_db.php”
• Coding flaws
– SQL Injection
– Local and Remote File Inclusion
– Unrestricted image uploads
• Code modifications are made
– Submit sends data to a file
– Or directly out to another server
www.theclm.org
17
www.theclm.org
18
3
5/26/2015
The Black Market
The Black Market
The black market for credit card data is flourishing
C13.cc
• Google “carding forum”
– The first 15 or so pages are hits for sites where you can create an
account, search for the type of cards you want to purchase (Amex,
Visa, MC…), and purchase the data for between $5 and $50.
– The big sites have started blending massive amounts of cards from
huge stored data breaches to make detection more difficult.
www.theclm.org
19
The Black Market
www.theclm.org
20
www.theclm.org
22
The Grey Market
C13.cc
Counterfeit Plastics
www.theclm.org
21
Q&A
The Grey Market
So you bought yourself some track data and some nice
plastic? Now what?
THANK YOU!
Grayson Lenik
Director, DFIR
Nuix Cyber Threat Analysis
[email protected]
@handlefree
www.theclm.org
23
www.theclm.org
4