Point-of-sale crisis: Anatomy of a cyberattack
Federal law enforcement agencies are stepping up their outreach efforts to educate businesses about how to detect cyberattacks targeting point-of-sale systems, as office supply giant Staples Inc. confirmed Monday it is investigating an incident that may add the company to a growing list of retail chains that have suffered massive data breaches.
A group of special agents from the Secret Service and the FBI briefed industry representatives Monday during a special awareness event hosted by the Financial Services Roundtable in Washington, D.C. Agents presented a detailed explanation of the steps cybercriminals go through when they target a POS system and try to make off with thousands or even millions of credit card numbers.
The briefing came only hours before Staples confirmed for the first time publicly that it was investigating a potential data breach and had contacted law enforcement for help. If confirmed, the breach would add to an alarming escalation in the number of credit and debit cards that have been stolen from U.S.-based retailers during the past year.
But officials are emphasizing that the high-profile incidents involving some of the nation’s largest retail chains are not the only such crimes taking place. In fact, Ari Baranoff, the assistant special agent-in-charge of the Secret Service’s Criminal Investigative Division, said the Secret Service has responded to 350 network intrusions so far this year, and the majority of the incidents involved small and medium-sized businesses.
“We view those small and medium-size businesses as ground zero for a lot of the malware that is introduced into the wild,” Baranoff said. “Many of the actors that we look at on a daily and weekly basis have capabilities that far exceed the capabilities of most nation-states.”
The Syracuse connection
In July, several banking institutions notified the Secret Service that they had detected credit and debit card fraud trends that pointed to a small store in Syracuse, New York, as a so-called “common point of purchase” for stolen credit card data.
Two agents were dispatched to analyze the server that managed the store’s point-of-sale terminal, and they soon discovered malware on the system. The agents removed the malware from the store’s network and brought a sample back to Secret Service headquarters, where forensics experts were able to reverse engineer the code.
Analysis of the malware revealed the code was what is known as an “initial finding, that this malware had not been seen yet by traditional anti-virus companies,” Baranoff said. The Secret Service then issued an advisory to industry, leading network security specialists at United Parcel Service Inc. to discover the malware on UPS’ network. It had gone undetected for six months.
“They were able to contain the issue to just 1 percent of their stores, just under 50 stores out of 5,000 in 25 states,” Baranoff said.
Anatomy of a hack
The most sophisticated cybercriminals are difficult to detect, Secret Service Special Agent Katherine Pierce said. “They do their homework. Their goal is financial gain. This is their job, this is their livelihood,” she said.
But there is a process that most attackers generally follow and understanding that process can help businesses know what to look for on their networks. According to Pierce, the six steps in the attack process are reconnaissance, initial compromise, establishing a foothold, escalating privileges, exfiltrating data and maintaining presence.
Once an attacker has conducted a thorough reconnaissance and gained initial entry into your network, one of the first things a cybercriminal will attempt to do is escalate their privileges on the network, according to FBI Supervisory Special Agent Jason Truppi.
“This is where the rubber meets the road. Any hacker can get in your front door … but to really escalate privileges and start moving laterally takes a different level of skill,” Truppi said. And this is also an opportunity for the defender to catch the attacker in the act. Not only can this process take a long time, but “depending on the skill set, it may be very loud, it may be very noisy,” he said.
“You’re going to see internal scanning, internal access to authentication servers, password dumping utilities are going to be sitting on internally compromised hosts [and] brute force attacks on servers,” he said. Victims may also see typical recon tools, such as nmap and ping requests, as well as Mimikatz — a tool that dumps plain text passwords out of memory.
To help defend against attacks at this stage, Truppi suggests companies deploy host-based intrusion detection systems, use strong domain passwords and limit the use of service accounts that have administrative privileges.
“Limit local admin access,” he said. “It’s the basic hygiene of any network. This is the No. 1 killer.”
There are generally two phases to the actual exfiltration of credit card data from a victim’s network and both are more or less impossible to defend against, according to Truppi. This is the stage of the attack you don’t want to find yourself defending against, he said.
The first phase involves staging the data for removal. Since cybercriminals are there to steal as many card numbers as possible in as few steps as possible, they will need to compress the data to get it off the network.
The second stage involves placing the compressed data file on a server where it can be masked. “They need to move it to a higher volume server to mask the data so you don’t see it,” he said, referring to the process of hiding the compressed file in a data stream where it won’t look out of place.
“Look for things like FTP, believe it or not,” Truppi said. Other tools used include Secure FTP, SSH, P-LINK command-line utility for Windows and Web Dropboxes since most companies aren’t defending against the use of drop boxes.
The POS connection
Almost every POS system compromise comes to the attention of the Secret Service because one or more banks notice an uptick in fraudulent activity on cards that were all used at the same retail location. That’s exactly how Secret Service Special Agent Matt O’Neill busted a Romanian cybercrime ring that compromised the POS systems used by 150 Subway restaurants and 50 other retailers around the country between 2008 and 2011.
“The bad actors were simply port scanning for folks who had remote desktop applications on their point-of-sale terminals,” O’Neill said. Then they would use known generic passwords or passwords that they knew POS manufacturers used as default passwords. From there, they would crack the administrator password and install a keystroke logger on the merchant POS system.
O’Neill managed to find where the hackers stored all of their cracking tools, and, for five months, he was able to identify new breaches as they occurred and notified the victims in near real-time to allow them to remove the malware.
The two main suspects were logging into a compromised system owned by a trucking company in Pennsylvania, where they would engage in chat sessions and email malware.
“One of the suspects liked gambling and the ladies,” O’Neill said. So the Secret Service created an online persona of a young woman working at a hotel casino and worked with the hotel chain to actually list the undercover agent on the hotel employee directory.
“Over the period of about six months, I developed what I’ll call a quasi-romantic relationship with him,” O’Neill said. The operation succeeded in luring the suspect to Boston, where he made a full confession upon arrest. The ringleader of the group was also identified and was extradited to the U.S., where he was sentenced to 15 years in prison.
“These guys were gaining access into approximately 100 to 200 victim locations every single day,” O’Neill said. “The bad guys that I’ve spoken to have all said ‘we could have tried to obtain the payment card data from a variety of locations, but quite frankly the easiest is through the merchant.’” Follow @DanielVerton