This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Subway hackers used freely available tools and sold data via a file transfer site

Share this article:
Subway hackers used freely available tools and sold data via a file transfer site
Subway hackers used freely available tools and sold data via a file transfer site

The tools used in the Subway card skimming operation are widely available on the internet for anyone willing to take the risks.

According to Dave Marcus, director of security research and communications at McAfee Labs, in an interview with Ars Technica, small businesses' generally poor security practices and their reliance on common, inexpensive software packages to run their operations makes them easy pickings for such large-scale scams.

According to the article, an indictment unsealed in the US District Court of New Hampshire on 8 December alleged that hackers gathered the credit and debit card data from more than 80,000 victims. A previous report by the Register said that four Romanian nationals remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers.

The men are alleged to have scanned the internet to identify point-of-sale terminals that used certain remote desktop software applications, and then gained unauthorised access to them by guessing or 'brute forcing' passwords.

However, the indictment claimed that the methods used by the attackers were hardly sophisticated, as the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them.

The software provided a ready-made back door for the hackers to gain entry to the point-of-sale systems; the applications used by these retailers clearly did not have two-factor authentication.

The Justice Department alleged that the hackers gained access to the remote desktop software by guessing or cracking the passwords they were configured with. Once they were in, the hackers deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems, such as credit card scans. They also installed the xp.exe Trojan onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware and prevent any security software updates.

The hackers are also alleged to have periodically rounded up the dumped transaction data and moved it to file transfer site sendspace.com, which said that it co-operated with the FBI in the investigation of the hack.

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines, while the rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

Subway corporate press relations manager Kevin Kane told Ars that "the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it".

He declined to discuss the measures taken as "we don't want to give away the blueprint" to other potential attackers, and said Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have been tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.