In scanning through the indictment, I was left with the strong impression that this group had a rock-solid business model, excelled at executing on their plans, and was actually good at following IT security principles—better than their victims.
According to the government’s investigation—based heavily on chat sessions between the hacking principals—stolen credit card numbers were sold through wholesale networks: US numbers would go for $10, Canadian for $15, and European for $50. The hacking gang, which the government more accurately referred to as an organization, would offer bulk discounts—i.e., corporate payment schedules. The distribution network would then resell stolen data through their channels to end users.
By the way, this hacking organization did not take credit card payments for their services—just bank wire transfers and Western Union. Good move, on their part, because, don’t you know, credit card numbers are vulnerable to theft.
Their hack craft was a little more advanced than the common cyber thief’s. They relied heavily on SQL injection attacks to break into websites, rather than brute force password guessing. The retailer, banking, and credit card company victims validate yet again the stats from Verizon’s Data Breach Investigations Report on the most heavily hacked sectors. In a few cases, the hackers chose retailers based on the type of point of sale or POS equipment, because they could install specially configured software sniffers to vacuum up unencrypted card numbers. And yet again, these mostly food and clothing retailers were PCI compliant.
After breaking in, the hackers then had the more complex problem of where to find the credit card number and other personal identifying data.
In the DEF CON archives, I came across a presentation on this subject written by two pen testers. They note that the job of the hacker is to “hide in plain site”, and in bold red font on one of their slides is the command, “Don’t be an anomaly”. Another slide points out that getting root access is not necessarily a desirable goal for a hacker because it’s also a user-level that is most likely audited.
This is generally solid advice, but of course the hackers can’t know ahead of time the long-term average behaviors of users, and there is, ahem, software that can spot atypical file access patterns.
Anyway, the two pen testers suggest you come in as ordinary user and selectively hijack credential and sessions. So which user should a hacker pick? Their overall advice is to “know the target environment”, then learn “who has access to what”, and find out “where is the data.”
It’s perhaps a bit counter-intuitive that we have pen testers to thank for making a solid governance case in a presentation on post-exploitation techniques. But in the upside-down world of hacking, it’s the cyber thieves who are doing a better job than the targeted companies at seeing the value in the data and applying good IT practices.
Author: Andy Green, Technical Specialist at Varonis.