Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat...

PointofSaleThreatActorAttributionThroughPOSHoneypots

KyleWilhoit

Sr.ThreatResearcher

TrendMicro

Sensitive&Confidential,TrendMicro2016 2

• Spokeatmanyconferencesworldwide,includingBlackhat• Specialize inthreat intelligence,offensivesecurity,andICS• Master’s inComputerScience• Bachelor’s inComputerScience

@lowcalspam

#whoami

Objective…WHOISBEHINDPOS SYSTEMATTACKS

Merchant. Goods and services provider that accepts credit card

payments

Acquiring Bank: Bank that processes and settles a merchant’s

credit card transactions with an issuer

Issuing Bank: Bank or financial institution that issues credit cards to

consumers

Payment Services Provider: Third-party service provider that handles payment transactions between merchant’s bank and

acquirers bank

“Regular”MerchantTransactions

LargeMerchantTransactions

WhyAttackPOSSystems?•Oldoperatingsystems

•Multiplecomponents(Network,bot,killswitch)

•Multipleexfil methodssupported

•Generallyunpatched

POSRAMScraping- CreditCardData

POSRAMScraping- QuickOverview

POSRAMScrapingMalware- AFamilyAffair

POSHoneypotsforIntel

•Totrackactormovement,honeypotwascreated

•Fakecreditcardinformationwasused

•Fakenames/personas

•Fakecompanies

•“Embedded”documents

•ActingasaMerchant

POSHoneypotsforIntel

Hardware/Software

•RadiantPOS1220C–MicrosoftEmbeddedXP–MicrosoftEmbeddedPOSReady7–WindowsEmbeddedCompact2013–AlohaPOS

•Additionalvirtualizedenvironments

•Fakecreditcardgenerator

LegalDisclaimer!

FakeCompany

•MLOTCoffeeCompany

•Createdwebsitetoenticeattackers–PrimarilyforusewhenfacingPOSsystemonInternet

Architecture

HoneypotConsiderations

•Username:Password–Aloha:Password

•Keptdefaultinstall–DefaultVNCcredentials–UnencryptedVNCconnection–Etc.

•CustomizedtocomefromMLOTCoffeeCompany

FakeCreditCardGenerator•Pythonscripttogeneratefakecreditnumbersanddumpintomemory,generatingfaketransactions

•Multipleoutputmethodstotargetmanyfamilies– Luhn algorithm–Track1/Track2dumps–Creditcardnumbersbetween13and19digits– Trackdelimiter(^)

•RandomlygeneratedtotrackonUG

ThreeExecutionLocations

•ExecutemalwaredirectlyonPOSsystem

•Executemalwaredirectlyonbatchprocessor

•HungoffInternetandwait

ExecutiononPoS System

AnyBites?

5103997799204658|0519|0175|CharlesBlue|Cupertino|5953CountessDr|95129|CA|US

5529876429582855|0919|058|BarbaraWafer|CollegePark|2087FlaniganOaksDrive|20741|MD|US

5111387990819704|0521|585|LauraDGriffin |Waco |3160HillHaven Drive |76706|TX|US

5446387373227851|0321|244|JamesEvans|LosAngeles|2564KerryWay|90017|CA|US

PossibleScenariosRegardingSeller

•MayberunningPOSmalwareandsellingharvestednumbers

•Maybepurchasingfullz frommalwareadministrator/author

•Maybetradingforfullz frommalwareadministrator/author

ExecutiononBatchProcessorSystem

BatchProcessorConfiguration

•Merchantsstoreanentireday’sauthorizedsalesinabatch.Attheendoftheday,theysendthebatchviaPSPstoacquirersinordertoreceivepayment.

•CanbedoneremotelyorlocallyonPOSsystem

•Forcaseofexercise,usedadifferentPOSsystem–Portugueselanguagesetting

PossibleScenariosRegardingSeller

•MalwareAuthor/Sellerarelikelynotthesame–MalwareappearstiedtoFighterPOS– Sellerappearstobeunrelated,otherthanBrazilianconnetion

•Couldbeworkingtogether?

•CouldhavetradedcreditcardnumbersonUG

HangingOfftheInternet

•Unfortunately,therewasn’tmuchdirectlyrelatedtoPOSexploitation–ThreeloginswithdefaultAlohausername/password

•NoPoS specificmalwareutilized

•Appearstobemostlyskids

•Restofthedatawasallgarbageautomatedscans

SoWhoCares?

•Mostcriminalsdon’tpre-testbeforesale

•TheymayormaynotbedirectlyresponsibleforthesaleandPOSmalware

•CorrelationbetweenPOSactorsandthesaleofCCnumbers

•Gather“intel”aboutactors/authors

Fin.KYLEWILHOIT@GMAIL.COM

@LOWCALSPAM

Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat...

Documents

Honeypots: Catching the Insider Threat - ACSAC 2017 · PDF fileYour Speaker! President, Honeypot Technologies Inc.! Founder, Honeynet Project & Moderator, honeypot mailing list! Author,

Charla honeypots

Threat Intelligence from Honeypots for Active Defense

Deception Techniques Using Honeypots

LES HONEYPOTS

Honeypots (Ravindra Singh Rathore)

An Enhanced Cyber Attack Attribution Framework · 2018-08-17 · against social engineering attacks, NEON uses honeypots that attract the at-tention of potential attackers through

Modeling Malware-driven Honeypots · PDF fileTRUSTBUS 2017 Honeypots § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate

Bsides chicago 2013 honeypots

Advanced Persistent Threat - Home | Interact Buyer's Guide v1.0 20210121.pdfAdvanced Persistent Threat Buyer’s Guide January 2021 Version 1.0 GSA page 3 Suspected attribution: Russia/Eastern

Honeypots monitorizando a_los_atacantes

Honeypots Correct

Introduction to Honeypots · Introduction to Honeypots 28 29 v1.2 About the Project NIC Community Honeynet Project •Part of network security training –using honeypots for understanding

HONEYPOTS - 123seminarsonly.com€¦ · HONEYPOTS Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network …

Bsides detroit 2013 honeypots

Honeypots final

Threat of threat attribution - Kaspersky Internet Security...and several petabytes of constantly updated data on the cyber threat landscape are ... Biggest cyber heist ever In February

Qa 00104 Honeypots Presentation

HC3 Intelligence Briefing ****Botnet Threat to the …...of the current threat landscape. The report found these attempts have tripled in the past year: The honeypots measured a total

Honeypots / honeynets · Honeypots Honeynets ... Source: Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book) Apr-16-09 presentatie naam 7 History