Tuesday, November 10, 2009

Four Indicted in $9.5 Million Bank Card Attack

Wired's Threat Level Blog provides an in-depth look at a recent attack on RBS WorldPay. This story provides a good case study on how sophisticated cyber criminals conduct an attack. From Threat Level ...

Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment (.pdf) charges that the four “compromised the data encryption” that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.

According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit 2,000 ATMs in less than 12 hours, netting about $9.5 million.

6 comments:

Tristan said...

Here's another incident of eastern-europeans stealing money, and using them in re-shipping scams;

here


We may have mentioned this in class a few weeks back, but the hackers steal credit information, buy goods online in the US, and then have them mailed overseas (in this case to Russia and Belarus) where they can re-sell them for a higher price.

aec38 said...

Comcast Domain Hijacked

After reading this post, I was reminded of another article concerning legal action against hackers. I recently came across a current court case that involves domestic hackers that took over control of Comcast’s domain names and eventually did a redirect to servers that they controlled. The most interesting thing about the whole case is how they gained control of the servers.

Initially, I thought that there must have been many technical exploits involved in hijacking such a high profile domain such as Comcast. However, according to one report (Feds Charge 3 With Comcast.net Hijacking) “ the hackers got control of the domain with two phone calls, and an e-mail sent to the company’s domain registrar, Network Solutions, from a hacked Comcast e-mail account.” This surprised me because it seems like something that an average hacker could do. Moreover, it is interesting because it shows that from a network security perspective you have to also consider more conventional methods of attack, such as telephone calls.

Personally, I have done something similar. My boss told me to deal with certain things with the business account. Initially, the Verizon customer service agent told me that she could only speak with the ‘account holder’ or another ‘authorized person’. I told my boss, and he told me to tell them that I was him. So, I called back and told them that I was him. After that all they asked for was the account number, which I had from the bill, and I was able to make account changes and reset passwords for accessibility. Of course, I had no malicious intent, and only acted on behalf of my boss, however it shows how easily I was able to ‘hack’ (in a sense) a particular account without any technical exploits whatsoever.

Interestingly enough, the hijackers of the Comcast domain claim to have had no malicious intent either. They simply were fed up with bad service from Comcast. Some press coverage has speculated that it was done in response to the bandwidth throttling that disrupted bittorrent traffic for Comcast subscribers. Others say it was for fame. In the hijackers defense, we can see that the intent was not malicious because they called the original Comcast technical contact (probably some sort of network administrator) at his home. Only after he scoffed at them and hung up did they move to a more drastic maneuver – redirection of Comcast traffic to servers under the hackers control.

After doing this, the 19 and 20 year old hackers, who only started hacking after being expelled from high school, may face up to a 15-20 year prison sentence. The hackers “could be charged with unauthorized access to a protected computer under the Computer Fraud and Abuse act, and, conceivably, with use of stolen access codes to obtain something of value worth $1,000 or more — in this case, the Comcast.net domain. That would carry a maximum 10-year or 15-year prison term.” (“Feds Charge 3 With Comcast.net Hijacking”) I had no idea that the punishment for such a crime was so high. Rapists and some murderers face similar sentences and considering the difference between the crimes, it would seem to me that the hackers should be facing less time. However, one must also remember that just because these particular hackers were not malicious, what they did could have caused major harm IF the mal intent had been there. Even with the simple redirect and loss of control of their webmail service for 5 hours on a Thursday from 12-5AM Comcast claims to have allegedly over $128,000.

Sources:

http://www.wired.com/threatlevel/2009/11/comcast-hack/

http://www.wired.com/threatlevel/2008/05/hunted-by-feds/

http://www.wired.com/threatlevel/2008/05/comcast-hijacke/comment-page-1/

Marshall said...

I think that this article is extremely eye opening, in that it provides a bit of insight as to just how sophisticated hackers and their schemes are becoming. I think that a large percentage of the general public still thinks of hackers as a bunch of high school kids in their parents basements taking down small websites or tagging them with their names etc. However, realistically hacking is becoming increasingly sophisticated and the plans that these hackers are carrying out are becoming increasingly intricate. In this case, the hackers went about their scheme in an almost militaristic manner, conducting reconnaissance and exploiting the weaknesses that they found. They were able to round up a large group of people to simultaneously exploit the weakness, and ended up stealing almost $10 million. For these people hacking is more than just a hobby or a way to gain recognition in the underground circles of hackers, it is an occupation. An occupation that is costing people across the world millions of dollars per day. All of this goes to show the increasing level of sophistication and intricacy of hacking schemes and the hackers that create and carry them out. This type of cyber crime is an increasingly widespread epidemic that is becoming harder and harder to protect against.

Skyler said...

I think this week's posting is so crucial in the discussion of website testing prior to its release. In class, we discussed these convention-type set ups, where computer programmers and those who specialize in protect websites and data storage locations from attack all come together and find new ways to compile strong, resistant systems. I think this article shows us how much we really need to place a greater emphasis on these "meetings of the minds," so to speak, and create websites with firmer protections. As someone who has had their debit card replaced three times in the past 1.5 years because of "possible system breaches," it can be both infuriating and disheartening to know that someone can use a tactic -- be it of the highest level of sophistication or just someone making a few phone calls -- that allows them to access such personal information.

I just fear that ok: so legislation can't keep up with threats, hackers are getting more and more clever (or not at all, in the case of people who are able to gain entry with just a few basic steps), and systems aren't keeping up to combat potential threats.. what do we do? We're at such a pivotal point in the development of technology and I fear we aren't forcing those in power to do enough to protect us all. I hope that soon (and very soon) someone will, in essence, rise up and see that we need more people working to create strong and enduring systems that maximize profits and productivity while keeping our information safe.

Justin McCarthy said...

The most compelling and troubling aspect of this article for me lies in the fact that this was a joint effort that linked multiple hackers seeking to achieve one objective. One tends to think of computer attacks as independent and isolated endeavors, mainly because of geographic constraints and the decentralized nature of hacking in general, as an inherently illegal activity. The fact that there were mutliple constituents playing equally important roles in this particular attack evokes a fear of the kind of networking and cooperation that could be of serious detriment to technologically vulnerable companies and organizations. Division of labor in hacking could cause a host of problems to plague law enforcement and confound attribution. An incredibly complex attack such as this could not have been carried out through one actor: each member of the team offered something diffferent to the table and diffused the culpability across 4 different parties. As networking continues to develop and hackers can more easily develop relationships, their attacks will necessarily become more complex and involve an increasing number of actors that will need to be held accountable for the crime.

David Noble said...

A similar thing happened on the Boston subway system when a few MIT students altered the RFID codes on their cards to make them appear, to the scanner, to have $653 dollars on them. Given my disdain for having to pay to take the metro each morning to my internship, I support their efforts.

http://www.gadling.com/2008/08/13/hack-your-local-subway/

It seems that anytime there is a disconnect between the physical card being presented and the data being processed, there is an opportunity for abuse. One could imagine a situation in which a credit card was programmed with different data on the magnetic strip than the name that appears on the outside of the card being presented to the cashier. As long as the cashier didn’t compare the customer's driver’s license to the receipt, as opposed to the name on the outside of the card, a criminal could easily get away with a series of such purchases.