Target Breach Perks Underground Activities of PIN Decryption?
IntelCrawler on the trail of PIN decryption
Los Angeles, California - January 07, 2014
Target announced on December 19 that it had become the victim of an attack that enabled hackers to steal 40 million credit and debit cards, as well as CVV codes and PIN data, but encrypted in 3DES, which is a practice of the financial industry according to PCI DSS compliance requirements.
"It seems the underground is in a race to try and decrypt the PIN's before banks can re-issue new cards," states Dan Clements, President of Los Angles based intelligence company IntelCrawler.
According to sources of IntelCrawler, there is an active group of Eastern European cybercriminals that specializes in attacks on merchants and Point-of-Sale terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment and PIN blocks data, by which many systems have been sniffed and grabbed in the past. The recent request by the underground to decrypt PIN data, see below, may be co-incidental to the Target breach or possibly some of the actual perpetrators floating the sample to see what resources and success the power of the underground has had or could have given the magnitude and value of the Target breach.
Just recently, several criminals in the underground are interested in decrypting 3DES blocks and information intercepted from serial COM-port connected to POS (9600 7E1) and Man-in-the-Middle attack.
The first posts about the opportunity of such types of attacks appeared in underground forums in September 2011 and were actively discussed close to 2012.
"Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue", - comments Andrew Komarov, IntelCrawler CEO.
Experienced cybercriminals have noticed many "encrypted networks" allow for some plain text capture. But to handle the more sensitive encrypted data, some of the more professional hackers have set up an "investment fund" for creating a 22 teraflop cluster for 3DES brute force, which could give them a much higher return on POS malware.
The leader of this group was actively working on the development of special software for PIN-block decryption by brute force having examples of dump, PIN and hash (possibly, HSM).
Close to 2013 IntelCrawler detected several more concrete posts where bad actors from Eastern Europe are trading sniffed dumps from hacked Point-of-Sale networks and can provide samples upon request.
Right after the Target breach was announced, in the beginning of January, some personal messaging, about 3DES among serious members, appeared in some private forums. The pricing per line proposed by the bad actor is 10 USD, which seems like a reasonable payment for large sets of PINS. "The amount of data for possible decryption is close to 50GB," states one member.
After infiltration of the underground community, it was found that the bad actor may be possibly from Eastern Europe because of his poor English.
The sample hex stream of proposed data for decryption was received by investigators from IntelCrawler.
It is important to say that the bad actors are also researching the opportunity to develop their own FPGA board for successful decryption. Researchers from IntelCrawler found that the ideas on compromised data are related to the US and Canada mostly, because of the appearance of some specific BINs in intercepted tracks.
"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," states Andrew Komarov, IntelCrawler CEO.
IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.