Honestly there hasn’t been much news over the holiday period, well maybe there was but no one bothered reporting it. There was the Stratfor case of course, which Anonymous is saying wasn’t anything to do with them.
The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back.
Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.
For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.
In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.
“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”
The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.
While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.
It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.
Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.
Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.
Collected data from the loggers was posted by the malware to FTP “dump” sites on a number of Web servers in the US created with domains they registered through GoDaddy.com using stolen credit card data. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to sendspace.com, a file transfer site. Richard James of sendspace.com says that his company cooperated with the FBI in the investigation of the hack. ” Sendspace [is] a file hosting and transfer site used by millions every single day,” he said in an email to Ars Technica,”and as such can indeed be used for activities which are against our TOS and that we do not condone.”
Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards “among other uses [to] place bets at local French ‘tobacco’ shops,” the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.
According to a report by Schuman, Subway’s corporate IT and a credit card company discovered the data breach “almost simultaneously.” Subway Corporate Press Relations Manager Kevin Kane told Ars that “the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it.” He said the company wouldn’t discuss the measures taken, as “we don’t want to give away the blueprint” to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.
It’ll be a pretty interesting case to watch either way, we’ll have to see what else gets discovered (and more importantly released to the public).
Subway corporate IT has taken some measures against this, but as it was franchisee stores that got owned – I don’t honestly see how much they can do. Unless they implement a complete new POS system (which is secure and preferably doesn’t run Windows and connect to the Internet).
POS in this case should well stand for Piece of Shit.
Source: Ars Technica