{"id":3243,"date":"2011-12-28T16:19:44","date_gmt":"2011-12-28T16:19:44","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3243"},"modified":"2015-09-09T19:37:02","modified_gmt":"2015-09-09T11:37:02","slug":"us-subway-stores-pos-hacked-for-3million-dollars","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/12\/us-subway-stores-pos-hacked-for-3million-dollars\/","title":{"rendered":"US Subway Stores POS Hacked For $3Million Dollars"},"content":{"rendered":"

Honestly there hasn’t been much news over the holiday period, well maybe there was but no one bothered reporting it. There was the Stratfor case of course, which Anonymous<\/a> is saying wasn’t anything to do with them.<\/p>\n

The scale of this incident somehow reminds me of the whole TJ MAXX<\/a> fiasco a few years back.<\/p>\n

Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.<\/p>\n

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.<\/p>\n

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.<\/p>\n

“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”<\/p>\n

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.<\/p>\n

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems\u2014something the applications used by these retailers clearly didn’t have. <\/p><\/blockquote>\n

It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.<\/p>\n

Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.<\/p>\n