This is page 2 of:
Massive Subway Cyber Attack Ripped Into Weak Remote Access, Unencrypted Card Swipes
An attorney for defendant Dolan, Michael C. Shklar, said his client was a minor player. “Dolan is a guy who works in a tire factory. He’s selling the stuff (the captured names and numbers) for next to nothing,” Shklar said. “A thousand bucks for zillions of names.”
Shklar denied that a lot of skill was needed in the attack. “Apparently, if you can figure out which specific port is used, you’re in,” he said.
In a court filing, Shklar said the complexity of the case—if not the attack—will take a lot of time to figure out. “The Government informed counsel that this case is quite complex. The discovery material in this case consists of at least 5,000 pages (much of it in the form of computer data) and relevant information may only be available in Romania,” he said in the filing.
The indictment lays out the government’s version of the attack: “It was part of the conspiracy that members remotely scanned the Internet to identify vulnerable POS systems with certain remote desktop software applications (“RDAs”) installed on them, and using these RDAs, the conspirators logged onto the targeted POS systems over the Internet, either by guessing the passwords or using password-cracking software programs. It was further part of the conspiracy that members remotely and surreptitiously installed software programs called ‘keystroke loggers’ (or ‘sniffers’) onto the POS systems, which would record and store data that was keyed into or swiped through the merchants’ POS systems, including customers’ credit-card data.”
Sources involved in the probe said the attack never touched—nor did it try to touch—data files that already existed on servers or the POS system; it just grabbed the new data as it flowed in. This is a key difference from many of the earlier cyber attacks, especially those from the Gonzalez gang. That also explains why this three-year attack accumulated fewer card numbers than the estimated 200 million taken by Gonzalez’s crew.
The indictment said the accused “often installed a back door Trojan into the POS systems that would allow the conspirators to access the compromised POS systems in the future in order to install or re-install additional software programs (collectively referred to as ‘hacker tools’) that facilitated their POS-hacking scheme. The conspirators repeatedly downloaded a hacker tool that is designed to evade detection, ‘xp.exe,’ from the ‘kitsite.info dump site’ onto victims’ POS terminals. These dump sites included the following: ftp.shopings.info, ftp.cindarella.info, ftp.kitsite.info, ftp.tushtime.info, and ftp.canadasite.info.”
The indictment mentioned one of the dump sites, but it’s hard to mention it without triggering SPAM obscenity warnings. To indicate the sense of humor of the accused, the FTP site was called Just (naughty word for amorous activity) It.
The indictment added that the dump sites “also included compromised Internet-connected computers belonging to unsuspecting small business owners or individuals.” The group was also accused of creating bogus payment cards with the stolen data, which they they supposedly used with various retailers “primarily located throughout Europe.”
The group did standard mechanisms to try and cover their tracks and made frequent use of proxy systems to try and disguise their IP paths and used the cyberthief-friendly chat “using IM and multiple, frequently changing screen names and E-mail addresses and untraceable disposable accounts.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
