Passwords and Credit card details – Shooting Fish in a Barrel

Introduction

Imagine if all the banks in the UK decided to send out new credit cards to all their customers, but they were all lost in the post, and all the details ended-up for sale on a Web site on the Internet. Well, the recently discovered Home Depot hack had a similar scope, where at least 56 million credit and debit card details could have been compromised from all of it 2,200 stores in the United States, and possibly 287 stores Canada, Guam, Mexico, and Puerto Rico. It is thought that the US and Canadian stores were the most at risk.

The risks around intruders stealing passwords and credit cards show no signs of abating, with the new announcement that Home Depot point-of-sale points had a malware agent installed on them and which could have resulted in over 56 million credit and debit cards details being stolen. The Home Depot looks to have increased on the recent Target hack which exposed an estimated 40 million cards. Overall the main problem seems to be that companies have setup a whole lot of back-end defences, but have forgotten that once the intruder has a touch-point in the network, they can often go undetected.

Along with the risks around point-of-sale devices, the risks around XSS (Cross-site Scripting), caused by sloppy coding, also show no signs of abating, and the recent e-Bay hack and the 1.2 billion usersnames and passwords stolen, show that there are significant risks in the way that e-Commerce infrastructures have been created.

e-Bay hack

e-Bay was recently exposed as having a problem where customers are tricked into giving over their personal data. With this a non-malicious account is hi-jacked, and used to setup a fake listing, each of which typically had 100% positive feedback and many associated sales. Users of the compromised account typically see themselves locked-out of their account, and later billed for selling fees. This problem has existed since February 2014, and many experts reckon that it still exists on the site.

The compromised account then creates a link to a fake e-Bay page, which has code injected into the e-Bay page and where the buyer is asked for their login and bank account details. As far as the buyer sees it is coming from a valid e-Bay page, and just asking for their details to confirm the purchase. Unfortunately it uses JavaScript and Flash injection to fake the site, and where the data entered is sent to the intruder. As far as the buyer is concerned everything is coming from e-Bay. This is all done through the main “shooting fish in a barrel” method of cross-site scripting (XSS).

An example is XSS is given in the following demonstration:

Home Depot exploit

For the Home Depot exploit, intruders installed malware at the point-of-sale, and which was similar to the recent Target back, in order to gather collect customer data from their cash registers. It is likely that this ran from April 2014 to the beginning of September 2014, before it was finally detected. The company have just announced that it has now made sure that they have gotten rid of the malware, but this is no defence against the customers who have already had their credit card details compromised.

The lesson learnt must be to try and reduce the time it takes to detect a threat, and quickly respond to it. So as the back-end financial services become more security, hackers will focus more on the point-of-sale, and thus retailers such as Home Depot need to spend more effort detecting exploits, as much as they do on data protection.

Overall it is expects that the breach will cost Home Depot at least $62 million, showing that money spent on detection and prevention in security is often a good investment. A brand can also be damaged with a loss of respect by customers. The hack, for example, against the Sony PlayStation Network is thought to have cost Sony $170 Million in direct costs, and led to major damage on their brand.

History repeats with a new Target

The Home Depot hack is likely to be greater that the preceding Target hack, which resulted in a large number of credit and debit card appearing on the credit card clearing house site: rescator.cc . From the Target attack, there have been batches defined as “American Sanctions” and “European Sanctions”, and some speculate that it was retribution on penalties imposed by the West on Russia for their actions in Ukraine.

Stolen card data on Rescator.cc (Figure 1) can command prices up to $100 for each credit card details, and it has become one of the largest clearinghouse for breaches, with many hundreds of thousands of cards being sold in a single batch. It can be seen from the meta details from the site, that they buy and sell credit card details, including CVV details:

<title>Rescator.CC - Buy Dumps Shop & Credit Cards with cvv2</title>
<meta name="keywords" content="dumps shop, credit cards cvv, credit cards cvv2, 
dumps, dumps with pin, cvv2, buy dumps, buy credit cards, buy creditcard, buy cvv, 
buy cvvs, d+p, sell dumps, buy dumps, buy cvv, buy cvv2, sell dumps, sell track2, 
buy track2, buy cards, cheap cvv, buy cvv, sell cvv, fresh cvv, good cvv, buy 
good cvv, sell good cvv, best cvv, check cvv, cvv2 dump, buy cvv online, sell cc, 
dump shop" />
<meta name="description" content="Buy Dumps Shop of Superior Quality. 
Track1 & Track 2. Valid rate of %90. Feedbacks on many forums.">
<script type="text/javascript">

Screen Shot 2014-09-22 at 12.38.34Figure 1: Recator.cc

If we look at the information graphic from Information is Beautiful (Figure 2) related to the World’s Biggest Data Breaches, we can see that the Home Depot hack is not as large as the Adobe hack, but in scope it could be great, as the Adobe back just targeted usernames and passwords (150 million of them), whereas everyone of the credit card details stolen from Home Depot is at risk as a major finance fraud. The Target one (in Figure 2) shows 70 million suspected data breaches. For the Adobe hack, the Top 5 passwords used by users where: “123456“, “123456789”, “12345678”, “password” and “adobe123”, which are about as easy to crack as having no password at all – truly shooting fish in a barrel. From the graphic we can also see the Sony hack, with 77 million records compromised in 2010.

Recently, too, it was detected that a Russian gang had stolen over 1.2 billion user names and passwords, purely by using compromised bot agents to exploit poorly written code on Web sites, using XSS (Cross-site Scripting) vulnerabilities.

Screen Shot 2014-09-22 at 13.18.53.fwFigure 2: World’s Biggest Data Breaches (brown represents an interesting story) Ref: [here]

Those who might be affected by the hack can check at https://homedepot.allclearid.com/, where Home Depot have setup a collaboration with AllClear ID, who will allocate a dedicated investigator to recover any financial losses affected by the hack. It covers one year from the date of the announcement (8 Sept 2014), with a strong central message about the breach of their site (Figure 3).

Screen Shot 2014-09-22 at 15.33.59Figure 3: Home Depot site showing payment breach message

Conclusions

The “shooting fish in a barrel” analogy seems flippant, but it can be seen that as the defences have toughened up on the back-end, the real risk is now at the front-end, which is exposed to a range of environments. If each credit card detail is worth up to $100, there is thus a lucrative market out there to find new ways to shoot the fish.

While initially it was though that the same malware had been used in the Home Depot hack as to that implemented in the Target hack, it is now thought that it is a completely new, and unseen, malware, showing that malware often transforms itself to overcome obstacles. With considerable amount of money to be made from capturing credit card details, there can thus be a considerable investment made on creating new types of malware, and fund a whole R&D department on the hacker’s side.

It’s amazing how quickly we have created our e-Commerce infrastructure, but we are all in-danger of large-scale fraud, and it has damage to both citizens, and also to our economy, so we need to invest more in design, implementing, detecting, protecting and analysing our electronic infrastructures, as every electronic device can be exposed to threats.

In terms of the e-Bay hack, it is the same old story of sloppy code, where the developer does not check for user input, and where code is injected into a page to make it work incorrectly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s