- Rescator is an illegitimate cybercrime shop that has sold, on line,
millions of credit card identities that has been used for attacks on major
retail merchants. The marketed batches of credit card identification were obtained
from hacking Point of Sale (POS) credit card readers.
Description
Rescator’s listing of available credit cards enumerates each
available card according to the type of card, city, state and ZIP
code of the store from which each card was stolen.[1]
Experienced crooks prefer to purchase cards that were stolen from stores near
them, because they know that using the cards for fraudulent purchases in the
same geographic area as the legitimate cardholder is less likely to trigger
alerts about suspicious transactions.
There are signs that the perpetrators of these breaches may
be the same group of Russian and Ukrainian hackers responsible for the data
breaches at Target, among others. These hackers have been moved massive
new batches of stolen cards onto the market. The newest batches claim 100
percent validity; meaning cyber criminals won’t run into the embarrassment of
having a stolen card declined while trying to make some illicit purchase.
Executive Guidance
POS data security problem can be attributed to lack of
investment in secure application development, disputes with the financial
services industry over who's to blame, disputes between brands and franchise
stores, and lack of oversight by those who develop and deploy retail
applications.
Recent network intrusions were the result of the “Backoff”
malware. The Secret Service currently estimates that over 1,000 U.S. businesses
are affected.[2]
Recent investigations revealed that malicious actors are
using publicly available tools to locate businesses that use remote desktop
applications. Once these applications are located, the suspects attempted to
brute force the login feature of the remote desktop solution. After gaining
access to what was often administrator or privileged access accounts, the
suspects were then able to deploy the point-of-sale (PoS) malware and
subsequently exfiltrate consumer payment data via an encrypted POST request.
Anti-virus (AV) vendors have now released variants of the
“Backoff’ malware family that have hitherto remained largely undetected by AV
vendors. It’s important to maintain up‐to‐date AV signatures and engines as new
threats such as this are continually being added to your AV solution.
The forensic investigations of compromises of retail
IT/payment networks indicate that the network compromises allowed the
introduction of memory scraping malware to the payment terminals. Information
security experts recommend a defense in depth approach to mitigating risk to
retail payment systems. While some of the risk mitigation recommendations are
general in nature, the following strategies provide an approach to minimize the
possibility of an attack and mitigate the risk of data compromise:
- Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
- Limit the number of users and workstation who can log in using Remote Desktop.
- Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
- Change the default Remote Desktop listening port.
- Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
- Require two-factor authentication (2FA) for remote desktop access.
- Install a Remote Desktop Gateway to restrict access.
- Limit administrative privileges for users and applications.
- Periodically review systems (local and domain controllers) for unknown and dormant users.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com