PCI DSS audit tool cracked by cybercriminals

This development represents something of a shift in hacker methodology - Nigel Stanley, Incoming Thought CEO/analyst

PCI compliance: The slow road to progress
PCI compliance: The slow road to progress

A PCI DSS audit utility called Card Recon has reportedly been cracked by cybercriminals to seek out Visa, MasterCard, Amex and similar payment card data on IT systems - reaching into parts of the network that conventional network utilities do not cover.

According to Numaan Huq, a senior threat researcher with Trend Micro, whilst he was researching Point of Sale RAM scraping malware, he discovered a three-year-old development version of Card Recon, a commercial DLP utility designed for us by and retailers to ensure PCI DSS compliance of their IT systems.

"It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards," he says in his analysis.

Criminals, he reasons, need to check and validate the data they have stolen, which they then sell in the underground carder marketplace.

"Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility," he explained.

The problem with software that seeks out payment card credentials is that the format used is widely known, using a standard called ISO/IEC 7812. This defines a 16 or 17-digit format seen on most credit, debit and charge cards - with the fist six digits denoting the card issuer (eg Barclaycard - 4929-77), followed by the account details and a Luhn checksum at the end.

The cracked Card Recon software, says Huq, not only allows intensive searches for card credentials to be completed, but the software could also be deployed on a retailer's network for card harvesting purposes. It is technology like this that possibly assisted in the massive Target card data breach seen recently.

Commenting on Huq's analysis, Nigel Stanley, a leading data forensics specialist and CEO/analyst with Incoming Thought, said that, whilst criminals have been repurposing tools for their own purpose for a great many years, this latest development represents something of a shift in hacker methodology.

"It all comes down to a hacking return on investment," he said, adding that this latest fraud evolution highlights the effort that cybercriminals are prepared to go to achieve their frauds.

David Harley, a senior research fellow with ESET, agreed with Stanley's analysis, saying that is now commonplace for cybercriminals to reverse engineer security software.

This, he says, involves looking for exploitable vulnerabilities, for example – as they do with other applications – but also for ideas on ways to avoid and subvert detection by trying to work out exactly what the security software is doing.

Harley argues that this latest card fraud evolution is not a simple one to analyse, as the fact that security researchers reverse engineer certain types of malware does not mean that they are one step ahead, any more than cybercriminals are.

"Both sides score their victories, though bona fide researchers are restricted by legal and ethical constraints. There's a mismatch in perception, though. Any time criminals are known to ‘succeed' in some malicious activity, it is seen as a failure on the part of security software, not only by the media but by competitors," he said.

Calum MacLeod, VP EMEA with Lieberman Software was more sceptical, saying that the reverse engineering of software like Card Recon is nothing new.

In fact, he says, no single group has profited as much from the development of security tools as the hacker community, as there is no need for them to reverse engineer in many cases, because once they have gained access through the compromise of privileged access on IT staff systems, the tools are very often there waiting for their use.

"There are a myriad of tools that are easy to download that provide out of the box vulnerability scanning, password cracking, automated exploit scanning, exfiltration, and obfuscation tools that are used daily by IT staff. They are also used by hackers to identify the same weaknesses - and use the very exploits these tools are designed to discover," he explained.

Reverse engineering, argues MacLeod, is commonplace, especially when it comes to malware, since this is an easy way to defeat AV technologies and IPS technologies.

"The bottom line is that as long as enterprises don't wake up to the reality that they are not properly managing privileged accounts, they have a permanently open backdoor. Unfortunately too many organisations have bought into the marketing hype that by simply managing administrator accounts they have closed the loophole," he said.