Upload
vuongthu
View
221
Download
0
Embed Size (px)
Citation preview
PointofSaleThreatActorAttributionThroughPOSHoneypots
KyleWilhoit
Sr.ThreatResearcher
TrendMicro
Sensitive&Confidential,TrendMicro2016 2
• Spokeatmanyconferencesworldwide,includingBlackhat• Specialize inthreat intelligence,offensivesecurity,andICS• Master’s inComputerScience• Bachelor’s inComputerScience
@lowcalspam
#whoami
Objective…WHOISBEHINDPOS SYSTEMATTACKS
Sensitive&Confidential,TrendMicro2015 3
Sensitive&Confidential,TrendMicro2015 4
Merchant. Goods and services provider that accepts credit card
payments
Sensitive&Confidential,TrendMicro2015 5
Acquiring Bank: Bank that processes and settles a merchant’s
credit card transactions with an issuer
Sensitive&Confidential,TrendMicro2015 6
Issuing Bank: Bank or financial institution that issues credit cards to
consumers
Sensitive&Confidential,TrendMicro2015 7
Payment Services Provider: Third-party service provider that handles payment transactions between merchant’s bank and
acquirers bank
Sensitive&Confidential,TrendMicro2015 8
“Regular”MerchantTransactions
Sensitive&Confidential,TrendMicro2016 9
LargeMerchantTransactions
Sensitive&Confidential,TrendMicro2016 10
WhyAttackPOSSystems?•Oldoperatingsystems
•Multiplecomponents(Network,bot,killswitch)
•Multipleexfil methodssupported
•Generallyunpatched
Sensitive&Confidential,TrendMicro2016 11
POSRAMScraping- CreditCardData
Sensitive&Confidential,TrendMicro2016 12
POSRAMScraping- QuickOverview
Sensitive&Confidential,TrendMicro2016 13
POSRAMScrapingMalware- AFamilyAffair
Sensitive&Confidential,TrendMicro2015 14
POSHoneypotsforIntel
•Totrackactormovement,honeypotwascreated
•Fakecreditcardinformationwasused
•Fakenames/personas
•Fakecompanies
•“Embedded”documents
•ActingasaMerchant
Sensitive&Confidential,TrendMicro2015 15
POSHoneypotsforIntel
Sensitive&Confidential,TrendMicro2015 16
Hardware/Software
•RadiantPOS1220C–MicrosoftEmbeddedXP–MicrosoftEmbeddedPOSReady7–WindowsEmbeddedCompact2013–AlohaPOS
•Additionalvirtualizedenvironments
•Fakecreditcardgenerator
Sensitive&Confidential,TrendMicro2015 17
LegalDisclaimer!
18
FakeCompany
•MLOTCoffeeCompany
•Createdwebsitetoenticeattackers–PrimarilyforusewhenfacingPOSsystemonInternet
Sensitive&Confidential,TrendMicro2015 19
Architecture
Sensitive&Confidential,TrendMicro2015 20
HoneypotConsiderations
•Username:Password–Aloha:Password
•Keptdefaultinstall–DefaultVNCcredentials–UnencryptedVNCconnection–Etc.
•CustomizedtocomefromMLOTCoffeeCompany
Sensitive&Confidential,TrendMicro2015 21
FakeCreditCardGenerator•Pythonscripttogeneratefakecreditnumbersanddumpintomemory,generatingfaketransactions
•Multipleoutputmethodstotargetmanyfamilies– Luhn algorithm–Track1/Track2dumps–Creditcardnumbersbetween13and19digits– Trackdelimiter(^)
•RandomlygeneratedtotrackonUG
Sensitive&Confidential,TrendMicro2015 22
ThreeExecutionLocations
•ExecutemalwaredirectlyonPOSsystem
•Executemalwaredirectlyonbatchprocessor
•HungoffInternetandwait
Sensitive&Confidential,TrendMicro2015 23
ExecutiononPoS System
Sensitive&Confidential,TrendMicro2015 24
Sensitive&Confidential,TrendMicro2015 25
Sensitive&Confidential,TrendMicro2015 26
AnyBites?
Sensitive&Confidential,TrendMicro2015 27
5103997799204658|0519|0175|CharlesBlue|Cupertino|5953CountessDr|95129|CA|US
5529876429582855|0919|058|BarbaraWafer|CollegePark|2087FlaniganOaksDrive|20741|MD|US
5111387990819704|0521|585|LauraDGriffin |Waco |3160HillHaven Drive |76706|TX|US
5446387373227851|0321|244|JamesEvans|LosAngeles|2564KerryWay|90017|CA|US
Sensitive&Confidential,TrendMicro2015 28
PossibleScenariosRegardingSeller
•MayberunningPOSmalwareandsellingharvestednumbers
•Maybepurchasingfullz frommalwareadministrator/author
•Maybetradingforfullz frommalwareadministrator/author
Sensitive&Confidential,TrendMicro2015 29
ExecutiononBatchProcessorSystem
Sensitive&Confidential,TrendMicro2015 30
BatchProcessorConfiguration
•Merchantsstoreanentireday’sauthorizedsalesinabatch.Attheendoftheday,theysendthebatchviaPSPstoacquirersinordertoreceivepayment.
•CanbedoneremotelyorlocallyonPOSsystem
•Forcaseofexercise,usedadifferentPOSsystem–Portugueselanguagesetting
Sensitive&Confidential,TrendMicro2015 31
Sensitive&Confidential,TrendMicro2015 32
Sensitive&Confidential,TrendMicro2015 33
Sensitive&Confidential,TrendMicro2015 34
PossibleScenariosRegardingSeller
•MalwareAuthor/Sellerarelikelynotthesame–MalwareappearstiedtoFighterPOS– Sellerappearstobeunrelated,otherthanBrazilianconnetion
•Couldbeworkingtogether?
•CouldhavetradedcreditcardnumbersonUG
Sensitive&Confidential,TrendMicro2015 35
Sensitive&Confidential,TrendMicro2015 36
HangingOfftheInternet
•Unfortunately,therewasn’tmuchdirectlyrelatedtoPOSexploitation–ThreeloginswithdefaultAlohausername/password
•NoPoS specificmalwareutilized
•Appearstobemostlyskids
•Restofthedatawasallgarbageautomatedscans
Sensitive&Confidential,TrendMicro2015 37
Sensitive&Confidential,TrendMicro2015 38
SoWhoCares?
•Mostcriminalsdon’tpre-testbeforesale
•TheymayormaynotbedirectlyresponsibleforthesaleandPOSmalware
•CorrelationbetweenPOSactorsandthesaleofCCnumbers
•Gather“intel”aboutactors/authors
Sensitive&Confidential,TrendMicro2015 39