Credit card fraudsters moving fast before US chip and pin adoption

The adoption of EMV in the US is quickly closing off the lucrative trade in card details, driving up the price of stolen data.

The EMV standard is changing the face of card crime
The EMV standard is changing the face of card crime

Cyber-criminals are trying to make as much money as possible from stolen credit card data before the US adopts EMV security standards in payment cards.

EMV (which stands for Europay, MasterCard, and Visa, the three companies that originally created the standard) is currently being introduced in the US, over a decade after the technology debuted in the UK.

According to a new report by FireEye, stolen credit card data is making on average $US21 (£14) per card on secret card shops on the Dark Web. The company, alongside its subsidiaries iSIGHT Partners and Mandiant, investigated the Fin6 criminal group last year after it managed to amass the details from millions of credit cards.

The report, dubbed Follow the Money, found that nearly 20 million card details were up for sale. Most of these were from the US and selling for an average of $21. “If all the data was sold at full price — could have been about $400 million,” said the report.

Fin6 used malware such as Grabnew to capture login credentials from victims. Once acquired, Fin6 gains entry to corporate networks and uses vulnerabilities to search the network for credit card numbers.

“For example, in one case, FIN6 used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener that would execute shellcode received over a specific port,” said the report.

The tools targeted CVE-2013-3660, CVE-2011-2005 and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.

“Continuing their use of Metasploit-related tools, FIN6 also used Metasploit's PsExec NTDSGRAB module to obtain a copy of the Active Directory database (ntds.dit). Access to this file would allow them to extract password hashes from the file and crack them offline.”

Finally, to move the stolen payment card data out of the environment, FIN6 used a script to systematically iterate through a list of compromised POS systems, copying the harvested track data files to a numbered “log” file before removing the original data files. They then compressed the log files into a ZIP archive and moved the archive through the environment to an intermediary system and then to a staging system.

“From the staging system, they then copied the stolen data to external CnC servers under their control using the FTP command line utility. In another case, FIN6 used an alternative extraction method to upload payment card data to a public file sharing service,” the authors added.

While FireEye couldn't confirm the location of the crime gang, its activities closely match those seen in Eastern European groups.

Philip Lieberman, President of Lieberman Software, told SCMagazineUK.com that the report points out “the critical need to advance cyber security from a passive activity of trying to detect and catch up to the bad guys, to a new approach of regularly disinfecting systems whether infections can be detected or not”. 

“We are now in an era where old IT security practices no longer work, and those companies that cling to them are regularly victimized with unlimited losses,” he said.

Eddie Lee, security researcher at AlienVault, told SC that while EMV and P2PE are both steps in the right direction, POS remains a target for an obvious reason: financial gain.

“We need to keep in mind that the POS terminal is a computer, subject to malware attacks like any other computer. Understanding the attack methods will hopefully help reduce the effectiveness of attempted exploits on retailer's networks,” he said.

Martin Warwick, FICO's fraud chief in EMEA, told SC that US finally adopted the liability shift for EMV in October 2015, bringing its security measures more in line with those Europe adopted over 10 years ago.

“The adoption of EMV has also triggered a tremendous shift in attitudes, processes, and technologies. As always, stronger fraud protection for one type of fraud forces criminals to look at other areas in order to get what they want,” he said.

It is also worth noting that the US has delayed the liability shift by two years for ATMs and Unmanned Petrol Terminals (UPTs). Unfortunately, these two areas have been a chronic source of skimming globally. This delay means that customers using compromised ATMs or UPTs are much more likely to become victims of card skimming. Indeed, the US has already seen a spike in this type of fraud.”


Sign up to our newsletters