Monday, September 8, 2014

Rescator Marketplace for Malware

  • Rescator is an illegitimate cybercrime shop that has sold, on line, millions of credit card identities that has been used for attacks on major retail merchants. The marketed batches of credit card identification were obtained from hacking Point of Sale (POS) credit card readers.

Description
Rescator’s listing of available credit cards enumerates each available card according to the type of card, city, state and ZIP code of the store from which each card was stolen.[1] Experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions.

There are signs that the perpetrators of these breaches may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, among others. These hackers have been moved massive new batches of stolen cards onto the market. The newest batches claim 100 percent validity; meaning cyber criminals won’t run into the embarrassment of having a stolen card declined while trying to make some illicit purchase.

Executive Guidance
POS data security problem can be attributed to lack of investment in secure application development, disputes with the financial services industry over who's to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.
Recent network intrusions were the result of the “Backoff” malware. The Secret Service currently estimates that over 1,000 U.S. businesses are affected.[2]

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

Anti-virus (AV) vendors have now released variants of the “Backoff’ malware family that have hitherto remained largely undetected by AV vendors. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution.
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security experts recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:
  •        Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  •        Limit the number of users and workstation who can log in using Remote Desktop.
  •        Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  •        Change the default Remote Desktop listening port.
  •        Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  •        Require two-factor authentication (2FA) for remote desktop access.
  •       Install a Remote Desktop Gateway to restrict access.
  •        Limit administrative privileges for users and applications.
  •        Periodically review systems (local and domain controllers) for unknown and dormant users.





[1] http://krebsonsecurity.com/tag/rescator/
[2] https://www.us-cert.gov/ncas/alerts/TA14-212A

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com