Cyber attacks fast becoming a full-blown industry

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techcentral.co.za/cyber-attacks-fast-becoming-a-full-blown-industry/60845/

Cyber attacks such as that recently suffered by telecoms firm TalkTalk can
result in hair-raisingly large losses: TalkTalk may have lost the details
of 4m customers, while in just the last few months Carphone Warehouse lost
2m, Experian lost 15m T-Mobile customers’ details, and dating website
Ashley Madison lost 32m users’ details. The impression is that all this
data is a danger to us in the wrong hands, but where does it end up, how is
it used, and by whom?

Stolen data such as credit card or personal identity details turn up for
sale on websites and on sites in the dark Web, accessed through Tor — an
anonymisation network that makes it near-impossible to discover the origin
and destination of Web traffic, nor the identities of those involved. Using
a Tor-enabled browser, it’s possible to browse Web pages on the standard
Web anonymously. It’s also possible to access what are called Tor hidden
services, essentially anonymised websites in the dark Web, using the .onion
domain suffix.

TalkTalk has alerted its customers to the possibility that their full name,
address, date of birth and credit card details may have been compromised —
although later reports suggest the breach may not have been as serious as
first thought. However, complete card and customer details are a valuable
commodity in online underground markets and can be used to make fraudulent
transactions.

The personal details of TalkTalk customers, like those of previous hacks,
could show up as products for sale on specialised underground “carding”
forums. Carding is the act of using stolen personal information for profit.
The price of a set of card details or personal information varies according
to the amount of information available on a particular individual and how
recent the cards have been obtained. Prices generally fluctuate from US$45
to $2 per card, with more freshly acquired cards the most expensive.

There are many ways to acquire card details using physical means such as
skimming devices installed on cash machines or pay points. But those online
generally come in two types. High-quality stolen data, known as “fullz”,
include all the information on an individual needed for fraudulent
purposes. This usually includes the cardholder’s date of birth, mother’s
maiden name, or other identity details commonly used as security questions.
Other useful products are sold as CVV (what card companies call card
verification values), the full details from a card required for making
purchases such as expiration date and check code printed on the card’s
signature strip, as well as the card number and cardholder’s name.

Cashing in
There are many ways for a buyer of stolen card details to try to profit
from their purchase. Generally, small amounts of cash can be withdrawn from
an account to try to avoid detection by both bank and victim. Larger
transactions will be noticed more quickly and get cancelled. A common
method is to use stolen card details to make online purchases, often from
relatively small online shops that are likely to have fewer fraud
prevention measures such as verifying the cardholder’s address.

In other cases, novel and complex techniques will be used, to get involved
in fake Web shops or warranty fraud, for example, for which the methods are
also available to purchase in underground forums — often for thousands of
dollars. Some advanced methods involve using dozens of stolen credit cards
each week, generating the carder several thousands of dollars a week.
Tutorials sometimes even come with personal one-to-one tutoring by the
criminal hacker who has devised the method. More common carding techniques
are explained in tutorials that are available for less than $100.

Another essential element for the carder to consider is a “drop” — a safe
delivery address that doesn’t reveal the carder’s identity. By delivering
fraudulently purchased products to drops such as an empty house, anonymous
post box, or the apartment of a trusted friend, it’s less likely the carder
will be traced by law enforcement. The carder will aim to keep any
potential evidence to a minimum, for example by using cryptocurrencies like
Bitcoin to purchase the stolen details in the first place, or by relaying
their Internet connection through one or more intermediary proxy servers in
order to make it harder to trace.

A criminal service
A major problem facing those fighting cybercrime is how it has evolved into
full-service commercial entities. Those without the hacking skills to pull
off complicated attacks and cover their trails can find tutorials,
techniques and even hackers-for-hire online — for a price. Underground
criminal forums online and in the dark Web are training grounds for
cybercriminals-to-be, and the bar of skills required for entry is dropping.

Carders will try to justify their behaviour in discussions by arguing that
banks reimburse their victims most of the time. Even so, victims suffer the
shock and inconvenience of losing often substantial amounts of money, and
the rising costs borne by banks and insurers are passed on to society.

Certainly for customers of TalkTalk and other firms subjected to data
losses, there is no quick fix: a particular card may be cancelled, but
their personal details and identities may swirl around online for many
years yet. They will need to be vigilant for unusual activity in their bank
accounts, and alert to unusual phone calls or emails that may be scammers
at work.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!