Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat...
40
Point of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro
Transcript of Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat...
PointofSaleThreatActorAttributionThroughPOSHoneypots
KyleWilhoit
Sr.ThreatResearcher
TrendMicro
Sensitive&Confidential,TrendMicro2016 2
• Spokeatmanyconferencesworldwide,includingBlackhat• Specialize inthreat intelligence,offensivesecurity,andICS• Master’s inComputerScience• Bachelor’s inComputerScience
@lowcalspam
#whoami
Objective…WHOISBEHINDPOS SYSTEMATTACKS
Sensitive&Confidential,TrendMicro2015 3
Sensitive&Confidential,TrendMicro2015 4
Merchant. Goods and services provider that accepts credit card
payments
Sensitive&Confidential,TrendMicro2015 5
Acquiring Bank: Bank that processes and settles a merchant’s
credit card transactions with an issuer
Sensitive&Confidential,TrendMicro2015 6
Issuing Bank: Bank or financial institution that issues credit cards to
consumers
Sensitive&Confidential,TrendMicro2015 7
Payment Services Provider: Third-party service provider that handles payment transactions between merchant’s bank and
acquirers bank
Sensitive&Confidential,TrendMicro2015 8
“Regular”MerchantTransactions
Sensitive&Confidential,TrendMicro2016 9
LargeMerchantTransactions
Sensitive&Confidential,TrendMicro2016 10
WhyAttackPOSSystems?•Oldoperatingsystems
•Multiplecomponents(Network,bot,killswitch)
•Multipleexfil methodssupported
•Generallyunpatched
Sensitive&Confidential,TrendMicro2016 11
POSRAMScraping- CreditCardData
Sensitive&Confidential,TrendMicro2016 12
POSRAMScraping- QuickOverview
Sensitive&Confidential,TrendMicro2016 13
POSRAMScrapingMalware- AFamilyAffair
Sensitive&Confidential,TrendMicro2015 14
POSHoneypotsforIntel
•Totrackactormovement,honeypotwascreated
•Fakecreditcardinformationwasused
•Fakenames/personas
•Fakecompanies
•“Embedded”documents
•ActingasaMerchant
Sensitive&Confidential,TrendMicro2015 15
POSHoneypotsforIntel
Sensitive&Confidential,TrendMicro2015 16
Hardware/Software
•RadiantPOS1220C–MicrosoftEmbeddedXP–MicrosoftEmbeddedPOSReady7–WindowsEmbeddedCompact2013–AlohaPOS
•Additionalvirtualizedenvironments
•Fakecreditcardgenerator
Sensitive&Confidential,TrendMicro2015 17
LegalDisclaimer!
18
FakeCompany
•MLOTCoffeeCompany
•Createdwebsitetoenticeattackers–PrimarilyforusewhenfacingPOSsystemonInternet
Sensitive&Confidential,TrendMicro2015 19
Architecture
Sensitive&Confidential,TrendMicro2015 20
HoneypotConsiderations
•Username:Password–Aloha:Password
•Keptdefaultinstall–DefaultVNCcredentials–UnencryptedVNCconnection–Etc.
•CustomizedtocomefromMLOTCoffeeCompany
Sensitive&Confidential,TrendMicro2015 21
FakeCreditCardGenerator•Pythonscripttogeneratefakecreditnumbersanddumpintomemory,generatingfaketransactions
•Multipleoutputmethodstotargetmanyfamilies– Luhn algorithm–Track1/Track2dumps–Creditcardnumbersbetween13and19digits– Trackdelimiter(^)
•RandomlygeneratedtotrackonUG
Sensitive&Confidential,TrendMicro2015 22
ThreeExecutionLocations
•ExecutemalwaredirectlyonPOSsystem
•Executemalwaredirectlyonbatchprocessor
•HungoffInternetandwait
Sensitive&Confidential,TrendMicro2015 23
ExecutiononPoS System
Sensitive&Confidential,TrendMicro2015 24
Sensitive&Confidential,TrendMicro2015 25
Sensitive&Confidential,TrendMicro2015 26
AnyBites?
Sensitive&Confidential,TrendMicro2015 27
5103997799204658|0519|0175|CharlesBlue|Cupertino|5953CountessDr|95129|CA|US
5529876429582855|0919|058|BarbaraWafer|CollegePark|2087FlaniganOaksDrive|20741|MD|US
5111387990819704|0521|585|LauraDGriffin |Waco |3160HillHaven Drive |76706|TX|US
5446387373227851|0321|244|JamesEvans|LosAngeles|2564KerryWay|90017|CA|US
Sensitive&Confidential,TrendMicro2015 28
PossibleScenariosRegardingSeller
•MayberunningPOSmalwareandsellingharvestednumbers
•Maybepurchasingfullz frommalwareadministrator/author
•Maybetradingforfullz frommalwareadministrator/author
Sensitive&Confidential,TrendMicro2015 29
ExecutiononBatchProcessorSystem
Sensitive&Confidential,TrendMicro2015 30
BatchProcessorConfiguration
•Merchantsstoreanentireday’sauthorizedsalesinabatch.Attheendoftheday,theysendthebatchviaPSPstoacquirersinordertoreceivepayment.
•CanbedoneremotelyorlocallyonPOSsystem
•Forcaseofexercise,usedadifferentPOSsystem–Portugueselanguagesetting
Sensitive&Confidential,TrendMicro2015 31
Sensitive&Confidential,TrendMicro2015 32
Sensitive&Confidential,TrendMicro2015 33
Sensitive&Confidential,TrendMicro2015 34
PossibleScenariosRegardingSeller
•MalwareAuthor/Sellerarelikelynotthesame–MalwareappearstiedtoFighterPOS– Sellerappearstobeunrelated,otherthanBrazilianconnetion
•Couldbeworkingtogether?
•CouldhavetradedcreditcardnumbersonUG
Sensitive&Confidential,TrendMicro2015 35
Sensitive&Confidential,TrendMicro2015 36
HangingOfftheInternet
•Unfortunately,therewasn’tmuchdirectlyrelatedtoPOSexploitation–ThreeloginswithdefaultAlohausername/password
•NoPoS specificmalwareutilized
•Appearstobemostlyskids
•Restofthedatawasallgarbageautomatedscans
Sensitive&Confidential,TrendMicro2015 37
Sensitive&Confidential,TrendMicro2015 38
SoWhoCares?
•Mostcriminalsdon’tpre-testbeforesale
•TheymayormaynotbedirectlyresponsibleforthesaleandPOSmalware
•CorrelationbetweenPOSactorsandthesaleofCCnumbers
•Gather“intel”aboutactors/authors
Sensitive&Confidential,TrendMicro2015 39
![Deception-Enhanced Threat Sensing for Resilient Intrusion ...hamlen/araujo19chapter.pdficated honeypots to collect attack-only data streams [21]. Such approaches unfortunately have](https://static.fdocuments.net/doc/165x107/5f7b90db40240015d24314ff/deception-enhanced-threat-sensing-for-resilient-intrusion-hamlenaraujo19chapterpdf.jpg)
