The Centralization of Fraud

Everyone is aware of the dangers of credit/debit cards, right? You get infected with banking malware or you leave your wallet at the bar, next thing you know there are bills for things you don’t remember purchasing showing up on your bank statement. Well there was once a time when that was all you had to worry about, but things are changing now. In movies it’s often portrayed that a hacker just sits at a computer emptying bank accounts and getting infinitely richer, however this is not the case. Card fraud is a risky and complicated business: It’s near impossible to systematically empty bank accounts or max out credit cards and for this reason, most botnets collecting card information don’t actually use it.

Fraudsters are always looking for cards to use and botmasters generally just want money, as a result botnets involved in harvesting card details just sell them in bulk to marketplaces (known as card shops), which in turn sell them to fraudsters. Due to using cards being risky and difficult, fraudsters are not willing to pay a great deal per a card, which means neither are cardshops, so the botmasters are always looking to harvest as many cards as possible whilst spending as little as possible. As you can imagine, running a large botnet isn’t cheap and 100,000 bots don’t yield 100,000 cards, in fact it’s likely much less. There’s also another problem: no one wants to buy the same cards twice, so the botmasters are always needing to infect new computers. There has to be a cheaper way?

ATM Skimmers

Well the obvious solution would be to target devices that process multiple cards, rather than home computers which are usually tied to a single user, this has made ATMs a target.

An ATM skimmer is a device that is fitted to the face of an ATM and designed to blend in. A standard skimmer kit consists of a keypad or camera and a card reader. The camera is generally part of older ATM skimmers and is used for recording users typing their pin. Newer skimmers use a fake keypad which fits over the original, when someone pushes buttons on the fake keypad, it presses on the real keypad all whilst logging the pin number (Keypad is only required if fraudsters wish to withdraw money, they only need card details to make purchases with them). The card reader looks like a standard ATM card slot and will fit over the real one, as the card passes through it will capture and store the data from it.

For fraudsters, ATM skimmers are great way to capture hundreds of cards from a single machine, however there are some drawbacks. Skimmers either store the data internally or Bluetooth it to another device, either way the fraudster are likely to revisit the scene of the crime to retrieve the skimmer or to download the data via Bluetooth. If an ATM skimmer was identified, police could easily monitor the ATM and surrounding area for the crooks returning to collect the data. People involved with ATM skimming are far more likely to get caught than people running botnets (which could be why skimmers are less common), however I’d still give the card slot a good tug before putting your card into an ATM.

POS Trojans

POS (Point of Sales) Trojans are another way fraudsters can target card reading devices (but without some of the risks associated with ATM skimmers), It’s quite possible POS Trojans will be one of the biggest malware threats of the next few years.

POS systems have all the features malware developers love: They run windows (usually XP or lower), don’t have antiviruses, and connect to the internet; The only problem is they all run different POS software. Developers eventually realized that instead of targeting the POS software the same way banking bots target browsers, they could scan the RAM for certain data. The malware simply scans the memory of each process for signatures relating to track 1/track 2 data (the format in which most cards store information), when a signature is found the data is uploaded to the C&C server (dexter and alina are public examples of such malware, they are also known a RAM scrapers).

Fraudsters often install/enable remote access programs such as VNC or Remote Desktop on the POS systems, allowing them to update the malware without the risk of returning to the system. If you’re a customer: It’s impossible to know if a POS system is infected without using it (Insisting that the cashier gives you access to the system will likely earn you a mandatory all-expenses-paid vacation in a 6×8 cell). Even if you do use an infected system, it could be days/week/month before the card is used by fraudster, which makes tracking down infected systems all the more difficult. The only sure way to not get caught out by an infected POS system is to pay in cash: Alternatively, you could use a credit card instead of debit card as they’re easier to get your money refunded in the case of fraud (or so I’m told). It is believed that point of sales malware was responsible for the 2013 Target breach.

Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …