I came across one interesting document on the website of the US Department of Justice: “Data Breaches: What The Underground World Of Carding Reveals”. In a nutshell, this is an analysis of court practice in cases of carding. And since at that moment I was just preparing a report for the round table on InfoSecurity, it fell right into the topic.
What do we know about carding? That carding is a type of fraud in which a transaction is made using a bank card or its details, which is not initiated or confirmed by its holder. That the most dangerous carding is carding using a cloned card. That cloning becomes possible when magnetic stripe data is obtained. That magnetic stripe data is usually read by carders using a skimmer installed on the ATM's receiving window. That other methods of obtaining magnetic stripe data and other banking details are also used: phishing, banal theft of the card along with the wallet, etc.
So, according to this document, criminals do use different methods of data theft, such as digging in the trash (in the original – dumpster diving), skimming, phishing, changing the address, and traditional theft. In each of these cases, the number of victims rarely exceeds several hundred, less often thousands. However, the main source of data for carders is hackers who steal credit card data directly from banks, processing centers, and retail outlets, and in this case we are talking about thousands, and in some cases millions of cards.
Is this possible? Alas, more than that. Here are just a few episodes from the life of Albert Gonzalez, a hacker who recently appeared in court, pleaded guilty and faces up to 20 years in prison.
In 2007, Gonzales, Maxim Yastremsky (Ukraine) and Alexander Suvorov (Estonia) organized an attack on the Dave & Buster's restaurant chain. The system of cash terminals of the restaurant chain formed a kind of" star": the terminals themselves transmitted the data read from the magnetic stripe to the restaurant's server, which - to the server of the head office, and, finally, from there the data was received for authorization of the payment to processing. In April 2007, hackers managed to gain remote access to the server of one of the restaurants and installed a sniffer on it. How exactly they did it, the American Themis is silent (more precisely, it uses the official "the defenders made materially false representations indicating that they were authorized to gain such access", that is,"bypassed authentication mechanisms"). Later, they used the same scheme to install sniffers on the servers of 11 more D&B restaurants. Intercepted dumps were simply sold through one of the carder forums.
Sniffers worked until September 2007. Tellingly, it was apparently not possible to register their autorun, and each time the server was restarted, the guys had to connect to it again and run the sniffer manually. Only in one of the restaurants (restaurant # 32, which appears in the indictment) they did it three times.
By the way, of the 12 restaurants stated in the preamble of the indictment, only this ill-fated "restaurant No. 32" appears in the case. Why only he is a mystery. Another oddity is the relatively small number of stolen dumps (about 5000 in total). Most likely, we are talking about the 5,000 dumps that were found on the notbook seized from Yastremsky during the arrest. This moment was the "beginning of the end" for Gonzalez and his accomplices: after spending several days in a Turkish prison (and the methods of conducting interrogations among Turks are cruel even by the standards of Russian investigators), Yastremsky began to tell everything he knew about his acquaintances.
And for the first time this gop company came to the attention of the FBI and the US Secret Service back in 2003, when Gonzales, Yastremsky, Damon Patrick Toy, Christopher Scott and others organized a grandiose vardriving around the stores of several major American retail chains. Gonzales and Scott parked outside the store and hacked her access point (the fact that WEP is one big mistake has long been known). At first, hackers used various vulnerabilities to access data, but in the summer of 2005, having hacked two access points of the TJX trading network in a similar way, they put their business on stream. They managed to break into the TJX processing center, set up a VPN between the processing center and the rented server, and install a Yastremsky-written sniffer on the processing server. The well-established "vacuum cleaner" worked from May 2006 to March 2008. You can only guess at the number of dumps copied: the number 40,000,000 appears in the news, but this is just one upload that Gonzalez made while already under the supervision of the Secret Service, a month before his arrest.
The finale of Gonzalez's career was the sensational attack on Heartlend Payment Systems this winter. According to representatives of Heartland, in the fall of 2008, VISA warned them about possible compromise. The company conducted an internal audit, which did not reveal anything suspicious. Then, just in case, the company turned to the Secret Service, whose specialists were able to find a well-disguised "Trojan". Well, I congratulate you, citizens of sovramshi.
It all started with that. That Gonzalez and his friend had caught the eye of Fortune magazine's ranking of the largest processing companies. The idea matured quickly, and two "Russian hackers" were immediately involved in the case (the indictment includes the strange region "somewhere near Russia", although, judging by the case materials, we are talking about "young democracies" - Latvia and Ukraine). In addition, 6 servers were rented in different regions to store stolen dumps on them.
The guys went straight to the list to study the Web portals of these companies, SQL injection vulnerabilities were discovered on three of them, and in November 2007 active work began. A month and a half later (by the end of December 2007), they already controlled the processing of Heartland by installing a sniffer on one of the key servers. The second processing center lasted another month, and the third one had to be tinkered with right up to March 2008.
By this point, based on Yastremsky's testimony, the Secret Service had almost finished investigating the attack on TJX and was actively working against Gonzalez. After his arrest, by the end of 2008, he was well aware of what he was in for, and he began to make confessions in exchange for refusing to prosecute minor cases like the attack on D&B. In fact, that's when the Secret Service showed up at Heartlend. However, the company did not file an official leak notification until January 30, 2009.
And the moral of the whole story is very simple. A hacker who uses common mistakes made by administrators and Web programmers is more than a serious threat to any company. How serious is it? In my opinion, the Heartlend stock index shows this very clearly.
What do we know about carding? That carding is a type of fraud in which a transaction is made using a bank card or its details, which is not initiated or confirmed by its holder. That the most dangerous carding is carding using a cloned card. That cloning becomes possible when magnetic stripe data is obtained. That magnetic stripe data is usually read by carders using a skimmer installed on the ATM's receiving window. That other methods of obtaining magnetic stripe data and other banking details are also used: phishing, banal theft of the card along with the wallet, etc.
So, according to this document, criminals do use different methods of data theft, such as digging in the trash (in the original – dumpster diving), skimming, phishing, changing the address, and traditional theft. In each of these cases, the number of victims rarely exceeds several hundred, less often thousands. However, the main source of data for carders is hackers who steal credit card data directly from banks, processing centers, and retail outlets, and in this case we are talking about thousands, and in some cases millions of cards.
Is this possible? Alas, more than that. Here are just a few episodes from the life of Albert Gonzalez, a hacker who recently appeared in court, pleaded guilty and faces up to 20 years in prison.
In 2007, Gonzales, Maxim Yastremsky (Ukraine) and Alexander Suvorov (Estonia) organized an attack on the Dave & Buster's restaurant chain. The system of cash terminals of the restaurant chain formed a kind of" star": the terminals themselves transmitted the data read from the magnetic stripe to the restaurant's server, which - to the server of the head office, and, finally, from there the data was received for authorization of the payment to processing. In April 2007, hackers managed to gain remote access to the server of one of the restaurants and installed a sniffer on it. How exactly they did it, the American Themis is silent (more precisely, it uses the official "the defenders made materially false representations indicating that they were authorized to gain such access", that is,"bypassed authentication mechanisms"). Later, they used the same scheme to install sniffers on the servers of 11 more D&B restaurants. Intercepted dumps were simply sold through one of the carder forums.
Sniffers worked until September 2007. Tellingly, it was apparently not possible to register their autorun, and each time the server was restarted, the guys had to connect to it again and run the sniffer manually. Only in one of the restaurants (restaurant # 32, which appears in the indictment) they did it three times.
By the way, of the 12 restaurants stated in the preamble of the indictment, only this ill-fated "restaurant No. 32" appears in the case. Why only he is a mystery. Another oddity is the relatively small number of stolen dumps (about 5000 in total). Most likely, we are talking about the 5,000 dumps that were found on the notbook seized from Yastremsky during the arrest. This moment was the "beginning of the end" for Gonzalez and his accomplices: after spending several days in a Turkish prison (and the methods of conducting interrogations among Turks are cruel even by the standards of Russian investigators), Yastremsky began to tell everything he knew about his acquaintances.
And for the first time this gop company came to the attention of the FBI and the US Secret Service back in 2003, when Gonzales, Yastremsky, Damon Patrick Toy, Christopher Scott and others organized a grandiose vardriving around the stores of several major American retail chains. Gonzales and Scott parked outside the store and hacked her access point (the fact that WEP is one big mistake has long been known). At first, hackers used various vulnerabilities to access data, but in the summer of 2005, having hacked two access points of the TJX trading network in a similar way, they put their business on stream. They managed to break into the TJX processing center, set up a VPN between the processing center and the rented server, and install a Yastremsky-written sniffer on the processing server. The well-established "vacuum cleaner" worked from May 2006 to March 2008. You can only guess at the number of dumps copied: the number 40,000,000 appears in the news, but this is just one upload that Gonzalez made while already under the supervision of the Secret Service, a month before his arrest.
The finale of Gonzalez's career was the sensational attack on Heartlend Payment Systems this winter. According to representatives of Heartland, in the fall of 2008, VISA warned them about possible compromise. The company conducted an internal audit, which did not reveal anything suspicious. Then, just in case, the company turned to the Secret Service, whose specialists were able to find a well-disguised "Trojan". Well, I congratulate you, citizens of sovramshi.
It all started with that. That Gonzalez and his friend had caught the eye of Fortune magazine's ranking of the largest processing companies. The idea matured quickly, and two "Russian hackers" were immediately involved in the case (the indictment includes the strange region "somewhere near Russia", although, judging by the case materials, we are talking about "young democracies" - Latvia and Ukraine). In addition, 6 servers were rented in different regions to store stolen dumps on them.
The guys went straight to the list to study the Web portals of these companies, SQL injection vulnerabilities were discovered on three of them, and in November 2007 active work began. A month and a half later (by the end of December 2007), they already controlled the processing of Heartland by installing a sniffer on one of the key servers. The second processing center lasted another month, and the third one had to be tinkered with right up to March 2008.
By this point, based on Yastremsky's testimony, the Secret Service had almost finished investigating the attack on TJX and was actively working against Gonzalez. After his arrest, by the end of 2008, he was well aware of what he was in for, and he began to make confessions in exchange for refusing to prosecute minor cases like the attack on D&B. In fact, that's when the Secret Service showed up at Heartlend. However, the company did not file an official leak notification until January 30, 2009.
And the moral of the whole story is very simple. A hacker who uses common mistakes made by administrators and Web programmers is more than a serious threat to any company. How serious is it? In my opinion, the Heartlend stock index shows this very clearly.
