• Home

  • Documents

  • Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat...
40
Point of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Embed Size (px)

Citation preview

Page 1: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

PointofSaleThreatActorAttributionThroughPOSHoneypots

KyleWilhoit

Sr.ThreatResearcher

TrendMicro

Page 2: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 2

• Spokeatmanyconferencesworldwide,includingBlackhat• Specialize inthreat intelligence,offensivesecurity,andICS• Master’s inComputerScience• Bachelor’s inComputerScience

@lowcalspam

#whoami

Page 3: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Objective…WHOISBEHINDPOS SYSTEMATTACKS

Sensitive&Confidential,TrendMicro2015 3

Page 4: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 4

Merchant. Goods and services provider that accepts credit card

payments

Page 5: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 5

Acquiring Bank: Bank that processes and settles a merchant’s

credit card transactions with an issuer

Page 6: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 6

Issuing Bank: Bank or financial institution that issues credit cards to

consumers

Page 7: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 7

Payment Services Provider: Third-party service provider that handles payment transactions between merchant’s bank and

acquirers bank

Page 8: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 8

“Regular”MerchantTransactions

Page 9: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 9

LargeMerchantTransactions

Page 10: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 10

WhyAttackPOSSystems?•Oldoperatingsystems

•Multiplecomponents(Network,bot,killswitch)

•Multipleexfil methodssupported

•Generallyunpatched

Page 11: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 11

POSRAMScraping- CreditCardData

Page 12: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 12

POSRAMScraping- QuickOverview

Page 13: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2016 13

POSRAMScrapingMalware- AFamilyAffair

Page 14: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 14

Page 15: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

POSHoneypotsforIntel

•Totrackactormovement,honeypotwascreated

•Fakecreditcardinformationwasused

•Fakenames/personas

•Fakecompanies

•“Embedded”documents

•ActingasaMerchant

Sensitive&Confidential,TrendMicro2015 15

Page 16: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

POSHoneypotsforIntel

Sensitive&Confidential,TrendMicro2015 16

Page 17: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Hardware/Software

•RadiantPOS1220C–MicrosoftEmbeddedXP–MicrosoftEmbeddedPOSReady7–WindowsEmbeddedCompact2013–AlohaPOS

•Additionalvirtualizedenvironments

•Fakecreditcardgenerator

Sensitive&Confidential,TrendMicro2015 17

Page 18: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

LegalDisclaimer!

18

Page 19: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

FakeCompany

•MLOTCoffeeCompany

•Createdwebsitetoenticeattackers–PrimarilyforusewhenfacingPOSsystemonInternet

Sensitive&Confidential,TrendMicro2015 19

Page 20: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Architecture

Sensitive&Confidential,TrendMicro2015 20

Page 21: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

HoneypotConsiderations

•Username:Password–Aloha:Password

•Keptdefaultinstall–DefaultVNCcredentials–UnencryptedVNCconnection–Etc.

•CustomizedtocomefromMLOTCoffeeCompany

Sensitive&Confidential,TrendMicro2015 21

Page 22: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

FakeCreditCardGenerator•Pythonscripttogeneratefakecreditnumbersanddumpintomemory,generatingfaketransactions

•Multipleoutputmethodstotargetmanyfamilies– Luhn algorithm–Track1/Track2dumps–Creditcardnumbersbetween13and19digits– Trackdelimiter(^)

•RandomlygeneratedtotrackonUG

Sensitive&Confidential,TrendMicro2015 22

Page 23: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

ThreeExecutionLocations

•ExecutemalwaredirectlyonPOSsystem

•Executemalwaredirectlyonbatchprocessor

•HungoffInternetandwait

Sensitive&Confidential,TrendMicro2015 23

Page 24: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

ExecutiononPoS System

Sensitive&Confidential,TrendMicro2015 24

Page 25: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 25

Page 26: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 26

Page 27: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

AnyBites?

Sensitive&Confidential,TrendMicro2015 27

5103997799204658|0519|0175|CharlesBlue|Cupertino|5953CountessDr|95129|CA|US

5529876429582855|0919|058|BarbaraWafer|CollegePark|2087FlaniganOaksDrive|20741|MD|US

5111387990819704|0521|585|LauraDGriffin |Waco |3160HillHaven Drive |76706|TX|US

5446387373227851|0321|244|JamesEvans|LosAngeles|2564KerryWay|90017|CA|US

Page 28: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 28

Page 29: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

PossibleScenariosRegardingSeller

•MayberunningPOSmalwareandsellingharvestednumbers

•Maybepurchasingfullz frommalwareadministrator/author

•Maybetradingforfullz frommalwareadministrator/author

Sensitive&Confidential,TrendMicro2015 29

Page 30: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

ExecutiononBatchProcessorSystem

Sensitive&Confidential,TrendMicro2015 30

Page 31: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

BatchProcessorConfiguration

•Merchantsstoreanentireday’sauthorizedsalesinabatch.Attheendoftheday,theysendthebatchviaPSPstoacquirersinordertoreceivepayment.

•CanbedoneremotelyorlocallyonPOSsystem

•Forcaseofexercise,usedadifferentPOSsystem–Portugueselanguagesetting

Sensitive&Confidential,TrendMicro2015 31

Page 32: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 32

Page 33: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 33

Page 34: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 34

Page 35: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

PossibleScenariosRegardingSeller

•MalwareAuthor/Sellerarelikelynotthesame–MalwareappearstiedtoFighterPOS– Sellerappearstobeunrelated,otherthanBrazilianconnetion

•Couldbeworkingtogether?

•CouldhavetradedcreditcardnumbersonUG

Sensitive&Confidential,TrendMicro2015 35

Page 36: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 36

Page 37: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

HangingOfftheInternet

•Unfortunately,therewasn’tmuchdirectlyrelatedtoPOSexploitation–ThreeloginswithdefaultAlohausername/password

•NoPoS specificmalwareutilized

•Appearstobemostlyskids

•Restofthedatawasallgarbageautomatedscans

Sensitive&Confidential,TrendMicro2015 37

Page 38: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

Sensitive&Confidential,TrendMicro2015 38

Page 39: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

SoWhoCares?

•Mostcriminalsdon’tpre-testbeforesale

•TheymayormaynotbedirectlyresponsibleforthesaleandPOSmalware

•CorrelationbetweenPOSactorsandthesaleofCCnumbers

•Gather“intel”aboutactors/authors

Sensitive&Confidential,TrendMicro2015 39

Page 40: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro

[email protected]

@LOWCALSPAM

Sensitive&Confidential,TrendMicro2015 40


HONEYPOTS - 123seminarsonly.com€¦ · HONEYPOTS Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network …

HONEYPOTS - 123seminarsonly.com€¦ · HONEYPOTS Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network …

Documents
Honeypots and Honeynets

Honeypots and Honeynets

Documents
Use Honeypots to KYE

Use Honeypots to KYE

Documents
Honeypots Workshop - CERT.br · PDF fileQ-CERT Honeypots Workshop - Doha, Qatar - April 18-19, 2007 Agenda •Background about the presenters •Concepts –Honeypots, Honeynets, etc

Honeypots Workshop - CERT.br · PDF fileQ-CERT Honeypots Workshop - Doha, Qatar - April 18-19, 2007 Agenda •Background about the presenters •Concepts –Honeypots, Honeynets, etc

Documents
CmpE-220 Honeypots Final

CmpE-220 Honeypots Final

Documents
LES HONEYPOTS

LES HONEYPOTS

Documents
Dr. Honeypots - archive.hack.luarchive.hack.lu/2017/Dr.Honeypots-Hack.lu-2017.pdf · - Gen1 : network of honeypots - Gen2 : honeypots in a production environment, for example deployed

Dr. Honeypots - archive.hack.luarchive.hack.lu/2017/Dr.Honeypots-Hack.lu-2017.pdf · - Gen1 : network of honeypots - Gen2 : honeypots in a production environment, for example deployed

Documents
Honeypots Correct

Honeypots Correct

Documents
PenTest Extra 6_2012 Honeypots

PenTest Extra 6_2012 Honeypots

Documents
Honeypots Monitoring Attackers

Honeypots Monitoring Attackers

Documents
Honeypots Virtuales Ssi

Honeypots Virtuales Ssi

Documents
Honeypots: Catching the Insider Threat - ACSAC 2017 · PDF fileYour Speaker! President, Honeypot Technologies Inc.! Founder, Honeynet Project & Moderator, honeypot mailing list! Author,

Honeypots: Catching the Insider Threat - ACSAC 2017 · PDF fileYour Speaker! President, Honeypot Technologies Inc.! Founder, Honeynet Project & Moderator, honeypot mailing list! Author,

Documents
Honeypots for Active Defense

Honeypots for Active Defense

Technology
Non-Attribution Policy - Defense Threat Reduction Agency

Non-Attribution Policy - Defense Threat Reduction Agency

Documents
An Enhanced Cyber Attack Attribution Framework · 2018-08-17 · against social engineering attacks, NEON uses honeypots that attract the at-tention of potential attackers through

An Enhanced Cyber Attack Attribution Framework · 2018-08-17 · against social engineering attacks, NEON uses honeypots that attract the at-tention of potential attackers through

Documents
Honeypots & Honeynets - wiki.apnictraining.net

Honeypots & Honeynets - wiki.apnictraining.net

Documents
Deliverable D3.3 EPES Honeypots

Deliverable D3.3 EPES Honeypots

Documents
TESTING DECEPTIVE HONEYPOTS - CORE

TESTING DECEPTIVE HONEYPOTS - CORE

Documents
36924807 Honeypots Seminar Report

36924807 Honeypots Seminar Report

Documents
GRIS - Introdução a Honeypots

GRIS - Introdução a Honeypots

Documents
Honeypots final

Honeypots final

Documents
Charla honeypots

Charla honeypots

Documents
Deception-Enhanced Threat Sensing for Resilient Intrusion ...hamlen/araujo19chapter.pdficated honeypots to collect attack-only data streams [21]. Such approaches unfortunately have

Deception-Enhanced Threat Sensing for Resilient Intrusion ...hamlen/araujo19chapter.pdficated honeypots to collect attack-only data streams [21]. Such approaches unfortunately have

Documents
Shadow Honeypots - Columbia University

Shadow Honeypots - Columbia University

Documents
Deception Techniques Using Honeypots

Deception Techniques Using Honeypots

Documents
Threat Intelligence from Honeypots for Active Defense

Threat Intelligence from Honeypots for Active Defense

Software
Honeypots Seminar Report

Honeypots Seminar Report

Documents
Honeypots and Honeynets

Honeypots and Honeynets

Documents
Honeypots e honeynets

Honeypots e honeynets

Technology
Bsides chicago 2013 honeypots

Bsides chicago 2013 honeypots

Technology