US Subway Stores POS Hacked For $3Million Dollars

Honestly there hasn’t been much news over the holiday period, well maybe there was but no one bothered reporting it. There was the Stratfor case of course, which Anonymous is saying wasn’t anything to do with them.

The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back.

Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.

“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.

Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.

Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.

Collected data from the loggers was posted by the malware to FTP “dump” sites on a number of Web servers in the US created with domains they registered through using stolen credit card data. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to, a file transfer site. Richard James of says that his company cooperated with the FBI in the investigation of the hack. ” Sendspace [is] a file hosting and transfer site used by millions every single day,” he said in an email to Ars Technica,”and as such can indeed be used for activities which are against our TOS and that we do not condone.”

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards “among other uses [to] place bets at local French ‘tobacco’ shops,” the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

According to a report by Schuman, Subway’s corporate IT and a credit card company discovered the data breach “almost simultaneously.” Subway Corporate Press Relations Manager Kevin Kane told Ars that “the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it.” He said the company wouldn’t discuss the measures taken, as “we don’t want to give away the blueprint” to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

It’ll be a pretty interesting case to watch either way, we’ll have to see what else gets discovered (and more importantly released to the public).

Subway corporate IT has taken some measures against this, but as it was franchisee stores that got owned – I don’t honestly see how much they can do. Unless they implement a complete new POS system (which is secure and preferably doesn’t run Windows and connect to the Internet).

POS in this case should well stand for Piece of Shit.

Source: Ars Technica

Posted in: Exploits/Vulnerabilities, Hacking News, Legal Issues

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

2 Responses to US Subway Stores POS Hacked For $3Million Dollars

  1. Dmpstrbaby January 1, 2012 at 6:01 pm #

    “which Anonymous is saying wasn’t anything to do with them.”


  2. MC February 14, 2012 at 12:17 am #

    I worked for 1 year as a POS tech for Aloha POS software and our company ( a software reseller and tech support provider for Aloha ) had the worst security practices I have ever heard of. Here are some highlights of their tomfoolery.

    1. With over 500 servers installed they all had the same Windows admin password and it was a ridiculously weak one that could be guessed quickly by any pentester. Also no password lockouts were implemented via Windows policies etc so you could just bang away till you got it.

    2. While some of our clients were setup to use a proprietary 2 factor authentication software for remote access via RSA key/password, many were simply loaded with Ultra VNC and all these VNC enabled sites used the same very weak password and also the standard VNC port.

    3. Several sites I was sent to for service work had open wifi for their customers which consisted of simply a wifi router on the same LAN as the POS set to no wifi security. Meaning anyone who connected could easily bruteforce the server box sitting in the back office. Also many wifi routers were still set to admin:admin as their login which would also allow anyone to modify the routing tables or forwarding ports for easier remote access.

    Since my employers had clients sign security waivers to state that security was the customers responsibility I was encouraged to never warn or advise these owners/managers of these flaws ( an instruction I regularly disregarded for my own sanity as this was counter to everything I believe ).

    4. As part of our “Server Builds” for customers we installed FREE AVG as their antivirus and would not insure updates etc as that was “the clients problem”. This was not only ridiculous but also against the AVG FREE version usage terms.

    5. We had a drawer with about 10 copies of XP PRO ( Which for Aloha was the only option in 2010 ) and we used these for every server or terminal image we built then those images were used hundreds of times each to flash drives for machines. Many times I have had to call the stupid MS activation # and try multiple CD keys until one went through.

    6. Our largest account which is a national food chain for which we had several hundred locations. When they were sold their systems they requested that each server must have Microsoft Office as they needed that package on every server. Well our bosses balked at the price per software license and instead had another tech use a university obtained student copy of Office which was then installed when we built the first server image which was then imaged to be imaged back to each of the 100’s of servers for this company. So one CD key for hundreds of PCs.

    That is all 100% true and this company is still in buisness and considered a top company in our area for POS service and support. Also several times I had to work on Aloha servers setup by other Aloha resellers and when I would use ophcrack to get the windows admin password I found that several resellers used the same password for all their server builds just like we did, so look out when shopping POS vendors.

    I withheld the most sensitive details as my employer most likely has not changed any of this so the names are witheld to protect both the inocent and guilty in this situation. Thank goodness I quit this firm over another unrelated immoral/illegal thing they told me to do and even though I am out of IT for the moment ( I really hate Windows anyway – I Love Linux ) I would rather be doing something I don’t really like than working for crooked people.

    If any documented white hat researchers ( Or subway IT guys – since we did a few of your franchise owners boxes as well ) want more info on my story for research ( as in company name and clients – not passwords etc ) send me an Email to linuxfan502(A-T) with your name and affiliation and if you check out I would discuss this further. I will only provide more info for the purpose of raising awareness of POS security problems, I would love to see articles come out aimed at helping the end users shop for such systems as in what to ask and answers they should receive etc. No one has written such an article to my knowledge ( aimed at the end user not a PCI compliancy tech ) but someone should.