HP Security Research Threat Intelligence Briefing episode 12 - The evolution of credit card crime

 

Matt Oh – Senior Malware Researcher

In this month's Threat Briefing, we look into credit card crime. You can listen to this episode of the HP Threat Intelligence Briefing Podcast on the Web or iTunes, and read or download the detailed companion report here.

 

 

Most of us carry magnets in our wallets – our credit cards. We use them to pay for goods and services. The transactions occur in a virtual realm and speed through a network in packets represented by 1s and 0s. The problem is that it is too easy to duplicate these magnets. The information saved on our credit cards is static in nature; the information doesn’t change after it is mailed to you from the credit card company. The information on each card travels through the merchants’ POS machine and networks and card processing networks when you swipe your credit card.

 

The recent Target attack reminds us that we are not safe in this world from credit card criminals. If you look at the last 10 years or so, you can see that the Target attack is actually nothing new. The trend for attacking card processing networks and POS machines has been occurring since the mid-2000s. The credit card crime forum ShadowCrew (established in 2002) collapsed with “Operation Firewall” in 2004. [1] However, new players quickly came to take their place. Some of the most infamous are Max Butler and the Albert Gonzalez gang. While Max Butler concentrated on attacking small restaurants’ POS systems, the Albert Gonzalez gang focused on big merchants like T.J, Maxx, Dave & Busters, Target, Hannaford Bros. Co. and Heartland Payment Systems. [2] [3]

 

 

 fig1.png

 

Figure 1 Credit card fraud scene (2002-2009)

 

 

After 2010, the trend continued with the Drinkman and Smilianets gang. While they breached many networks, they were also responsible for the Global Payments breach in 2012, which was estimated to compromise between 1.5 million to 7 million card accounts. [4] [5]

 

 

 fig2.png

Figure 2 Credit card fraud scene (2010-2013)

 

 

One thing to note with these breaches is that the attacks have evolved as defenses escalated. In the Max Butler case, he was known to use various pen-testing skills to breach competitors’ networks and POS systems. [2] He used various tools like OS and application exploits, SQL injection exploits and customized malware. [2] Max could find most of the transaction records in an unencrypted form. [2] The Albert Gonzalez gang mainly used SQL injection for most of their intrusions and used packet sniffers to collect credit card information from unencrypted network traffic. [6] [7] The Drinkman- Smilianets gang were part of the Albert Gonzalez gang and they also used similar techniques. [4] The Target attack in late 2013 had a slightly different modis operandi in that memory scraping technology was used to grab credit card information from the memory of running POS applications. This is likely a response to the Payment Card Industry (PCI) forbidding the transmission of unencrypted transaction records through the network.

 

The evolution of credit card crime indicates that a change is needed to improve upon POS security moving forward. While the equipment needed to read and write magnetic stripes was a barrier for credit card crime in the past, these  resources are now more affordable and accessible to those willing to commit the crime.  Memory scraping has become the new trend, but there is no easy way to defend against this technique as the magnetic stripe information is decrypted at some point in the process. This limitation with magnetic stripe technology and the history of cat and mouse between the credit card industry and the criminals tells us that it is time to adopt a new technology, such as EMV or “Chip & Pin.”

 

Our latest threat briefing is a compilation of the history of cyber credit card crime. For context, we also include some basic, yet not commonly known, information on credit card internals. This basic knowledge can help you to understand the limitations of the current magnetic stripe-based credit card technology and to better know current credit card hacking scene and technology they use.

 

 

References

 

[1]

"The Great Cyberheist, p3," [Online]. Available: http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=3.

[2]

K. Poulsen, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground, Crown, 2011.

[3]

"The Great Cyberheist, p5," [Online]. Available: http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=5&_r=0.

[4]

"Drinkman Vladimir et al., Indictment," [Online]. Available: http://www.justice.gov/usao/nj/Press/files/pdffiles/2013/Drinkman,%20Vladimir%20%20et%20al.,%20Indic...

[5]

"Global Payments Breach Fueled Prepaid Card Fraud," [Online]. Available: http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/.

[6]

"TJX Hacker Charged With Heartland, Hannaford Breaches," [Online]. Available: http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/.

[7]

"Gonzalez: The Al Capone Of Cyber Thieves?," [Online]. Available: http://www.fierceretail.com/retailit/story/gonzalez-the-al-capone-of-cyber-thieves.

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Twitter: @ohjeongwook .
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.