Target Breach perks underground activities of PIN decryption?
IntelCrawler on the trail of PIN decryption
Los Angeles, California - January 07, 2014
Target announced on Dec. 19 that it had become the victim of an attack that enabled hackers to steal 40 million credit and debit cards, as well as CVV codes and PIN data, but encrypted in 3DES, which is a practice of the financial industry according to PCI DSS compliance requirements.
"It seems the underground is in a race to try and decrypt the PIN's before banks can re-issue new cards," states Dan Clements, President of Los Angles based intelligence company IntelCrawler.
According to sources of IntelCrawler, there is an active group of Eastern European cybercriminals who specializes in attacks on merchants and Point-of-Sale terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment and PIN blocks data, which many systems have been sniffed and grabbed in the past. The recent request by the underground to decrypt PIN data, see below, may be co-incidental to the Target breach or possibly some of the actual perpetrators floating the sample to see what resources and success the power of the underground has had or could have given the magnitude and value of the target breach.
Just recently, several criminals in underground are interested in decrypting of 3DES blocks and information intercepted from serial COM-port connected to POS (9600 7E1) and Man-in-the-Middle attack.
The first posts about the opportunity of such types of attacks were appeared on underground forums in September 2011 and were actively discussed close to 2012.
"Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue",-comments Andrew Komarov, IntelCrawler CEO.
Experienced cybercriminals have noticed many "encrypted networks" allow for some plain txt capture. But to handle the more sensitive encrypted data, some of the more professional hackers have set up an "investment fund" for creating 22 teraflops cluster for 3DES brute force, which could give them a much higher return on POS malware.
The leader of this group was actively working on the development of special software for PIN-blocks decryption by its brute forcing having examples of dump, PIN and hash (possibly, HSM).
Close to 2013 IntelCrawler detected several more concrete posts where bad actors from Eastern Europe are trading sniffed dumps from hacked Point-of-Sales networks and can provide samples upon request.
Right after the Target breech was announced, in the beginning of January, in some private forums there appeared some personal messaging about 3DES among serious members. The pricing per the line proposed by the bad actor is 10 USD, which seems like a reasonable payment for large sets of PINS. "The amount of data for possible decryption is close to 50GB," states one member.
After infiltration to the underground community it was found that bad actor may be possibly from Eastern Europe because of his quite poor English.
The sample hex stream of proposed data for decryption was received by investigators from IntelCrawler.
It is important to say that the bad actors are also researching the opportunity of development of own FPGA board for successful decryption. Researchers from IntelCrawler found that the ideas on compromised data are related to the US and Canada mostly, because of the appearance of some specific BINs in intercepted tracks.
"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breeches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," states Andrew Komarov, IntelCrawler CEO.
IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.