Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

ASSESSMENT: Threat Intelligence and Credit Card Fraud

with 3 comments

rescator_maltego

TARGET:

With the escape of card data and personal data from Target over the holiday season we have seen an uptick in stories about the underworld of carding. Of course Target is just one large company that has been hit with such attacks albeit this time this one hit scored over 70 million cards and their attendant PII data. As the fallout continues to get reported on the attack itself, Brian Krebs has been reporting on those behind the scenes offering up the “dumps” for the criminally inclined to buy cards and data in order to create new lines of credit or spend the ones that have been stolen. As time has worn on though, and as Target starts to release details of just how inadequate their security was on their systems that allowed this attack to happen from external access to their intranet one thing has become clear; Credit crime is not abating and the banks and credit companies are either powerless or don’t care to find ways to stop the hacks and dumps from happening in the first place. Target specifically in this instance has done a terrible job of responding to the incident with clients and the street and now that details are coming out about their internal security issues, they no doubt will be hiring PR firms by the dozen to spin a tale that this was impossible to have stopped.

CARDERS:

In reality the carders live a fairly open existence on the internet in PHP bulletin boards much like the jihadi’s do. Their OPSEC is lacking as Krebs can attest and in some cases really don’t care because they live or work in countries where the laws are not as robust and they don’t really fear prosecution. After having been on their sites and looked at caches as well as live data I can say that the OSINT that Krebs culls is not that hard to perform and that more people should be doing the same thing in order to interdict possible attacks in the future. I would assume that there are personnel tasked to do this from say Treasury or USSS but inasmuch as all of this came as such a surprise and that Krebs broke the story before anyone else says a lot about the lack of eyeballs on these forums. These guys are living large and often are not that old to begin with. We aren’t talking about old KGB guys now lurking the net and stealing credit card data to support their plans of world domination. What we are talking about are kids who play Xbox and have a revenue stream that is often times pretty robust allowing them to do pretty much whatever they want. Of course I suspect that there are ties to Mafiosi of the Russian variety (this case) as well as in other quarters because hey, this is just another piece of action right? What still amazes though is the naked operations that these guys carry out day to day that don’t even require much else than an ICQ connection and an email address that can be thrown away.

RESCATOR:

Screenshot from 2014-01-20 15:54:08

In the case of Rescator though, we have a kind of a “Senatus” as they like to call him on the sites who seems to have been at this for some time and has amassed an infrastructure to allow for the sale of not only stolen credit card data but also flooding services and other offerings. In the case of the latest Target affair, Senatus Rescator is most definitely at the forefront of the whole thing. He and others like Flavius are in charge of about 10 or so sites that are transitory at times and all bulletin boards pretty much explicitly for the trade of credit card data. Now, as to whether or not Rescator was the main operator behind this hack on target and others is a question that I cannot answer at the present time. I will say though that the conglomerate including those like Flavius and Rescator may in fact form the cabal that ordered up the hack and ex-filtration or perhaps just benefited from the dumps that came to them from the hackers. I lean towards though the idea that Rescator and Flavius and others were likely the ones who put this all together, purchased the malware, and got the hired hands to pull it off if not doing some of the work themselves. That Krebs and others have actually tracked Rescator to a single name and have his personal details shows the lack of OPSEC there and one hopes that sometime in the near future he will get a knock at the door from Interpol and the USSS/FBI but that remains to be seen.

LAMPEDUZA, RESCATOR, OCTAVIAN:

Screenshot from 2014-01-20 15:47:49

Screenshot from 2014-01-20 15:55:40

Screenshot from 2014-01-18 10:13:33

Screenshot from 2014-01-18 12:38:42

Screenshot from 2014-01-18 15:38:25

Domain ID:GMOREGISTRY-DO27434
Domain Name:RESCATOR.SO
Created On:2013-10-01T07:27:57.0Z
Last Updated On:2013-10-08T06:45:26.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18968955T
Registrant Name:Private Registration
Registrant Organization:rescator.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.so@domainsproxy.name
Admin ID:WN18968956T
Admin Name:Private Registration
Admin Organization:rescator.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.so@domainsproxy.name
Tech ID:WN18968957T
Tech Name:Private Registration
Tech Organization:rescator.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.so@domainsproxy.name
Billing ID:WN18968958T
Billing Name:Private Registration
Billing Organization:rescator.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.so@domainsproxy.name
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:GREG.NS.CLOUDFLARE.COM
Name Server:ROSE.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

Domain Information
Query: rescator.cm
Status: Active
Created: 01 Jan 2014 15:52 WAT
Modified: 10 Jan 2014 09:54 WAT
Expires: 01 Jan 2015 15:52 WAT
Name Servers:
pns4.cloudns.net
pns5.cloudns.net

Registrar Information
Registrar Name: Web Commerce Communications WebCC

Registrant:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Admin Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Technical Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Billing Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Domain ID:GMOREGISTRY-DO27425
Domain Name:LAMPEDUZA.SO
Created On:2013-10-01T00:58:44.0Z
Last Updated On:2014-01-16T14:55:50.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18967443T
Registrant Name:Private Registration
Registrant Organization:lampeduza.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:lampeduza.so@domainsproxy.net
Admin ID:WN18967444T
Admin Name:Private Registration
Admin Organization:lampeduza.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:lampeduza.so@domainsproxy.net
Tech ID:WN18967445T
Tech Name:Private Registration
Tech Organization:lampeduza.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:lampeduza.so@domainsproxy.net
Billing ID:WN18967446T
Billing Name:Private Registration
Billing Organization:lampeduza.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:lampeduza.so@domainsproxy.net
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:PNS4.CLOUDNS.NET
Name Server:PNS9.CLOUDNS.NET
Name Server:PNS7.CLOUDNS.NET
Name Server:PNS5.CLOUDNS.NET
Name Server:PNS8.CLOUDNS.NET
DNSSEC:Unsigned

Domain Name: LAMPEDUZA.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.CLOUDNS.NET
Name Server: NS2.CLOUDNS.NET
Name Server: NS3.CLOUDNS.NET
Status: clientTransferProhibited
Updated Date: 03-oct-2013
Creation Date: 31-may-2011
Expiration Date: 31-may-2022

>>> Last update of whois database: Mon, 20 Jan 2014 20:30:53 UTC <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: LAMPEDUZA.NET
Registry Domain ID:
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date:
Creation Date: 2011-05-31T11:47:48Z
Registrar Registration Expiration Date: 2022-05-31T11:47:48Z
Registrar: Internet.bs Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone:
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name: Jeremiah Heisenberg
Registrant Organization: Offshore Hosting Solutions Ltd.
Registrant Street: Oliaji TradeCenter 1st floor
Registrant City: Victoria
Registrant State/Province:
Registrant Postal Code: 3341
Registrant Country: SC
Registrant Phone: +248.2482032827
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@offshore-hosting-service.com
Registry Admin ID:
Admin Name: Jeremiah Haselberg
Admin Organization: Offshore Hosting Solutions Ltd.
Admin Street: Oliaji TradeCenter 1st floor
Admin City: Victoria
Admin State/Province:
Admin Postal Code: 3341
Admin Country: SC
Admin Phone: +248.32724
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@offshore-hosting-service.com
Registry Tech ID:
Tech Name: Jeremiah Haselberg
Tech Organization: Offshore Hosting Solutions Ltd.
Tech Street: Oliaji TradeCenter 1st floor
Tech City: Victoria
Tech State/Province:
Tech Postal Code: 3341
Tech Country: SC
Tech Phone: +248.32724
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@offshore-hosting-service.com
Name Server: ns1.cloudns.net
Name Server: ns2.cloudns.net
Name Server: ns3.cloudns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-20T11:49:26Z <<<

domain:        OCTAVIAN.SU
nserver:       jack.ns.cloudflare.com.
nserver:       leah.ns.cloudflare.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        fpolev@mail.ru
registrar:     RUCENTER-REG-FID
created:       2013.01.13
paid-till:     2015.01.13
free-date:     2015.02.15
source:        TCI

Last updated on 2014.01.21 00:31:35 MSK

~$ whois rescator.la
Domain ID:CNIC-DO1009346
Domain Name:RESCATOR.LA
Created On:2013-02-21T01:24:13.0Z
Last Updated On:2013-12-27T12:53:29.0Z
Expiration Date:2014-02-21T23:59:59.0Z
Status:SERVER UPDATE PROHIBITED
Status:SERVER HOLD
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:CLIENT DELETE PROHIBITED
Status:SERVER TRANSFER PROHIBITED
Registrant ID:WN18395382T
Registrant Name:Private Registration
Registrant Organization:rescator.la
Registrant Street1:Rm.804, Sino Centre, Nathan Road
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.la@domainsproxy.net
Admin ID:WN18395383T
Admin Name:Private Registration
Admin Organization:rescator.la
Admin Street1:Rm.804, Sino Centre, Nathan Road
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.la@domainsproxy.net
Tech ID:WN18395384T
Tech Name:Private Registration
Tech Organization:rescator.la
Tech Street1:Rm.804, Sino Centre, Nathan Road
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.la@domainsproxy.net
Billing ID:WN18395385T
Billing Name:Private Registration
Billing Organization:rescator.la
Billing Street1:Rm.804, Sino Centre, Nathan Road
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.la@domainsproxy.net
Sponsoring Registrar ID:H129924
Sponsoring Registrar IANA ID:460
Sponsoring Registrar Organization:Web Commerce Communications Ltd
Sponsoring Registrar Street1:Lot 2-2, Incubator 1, Technology Park Malaysia
Sponsoring Registrar Street2:Technology Park Malaysia
Sponsoring Registrar Street3:Bukit Jalil
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:57000
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+603 8996 6788
Sponsoring Registrar FAX:+603 8996 8788
Sponsoring Registrar Website:http://www.webnic.cc
Name Server:JACK.NS.CLOUDFLARE.COM
Name Server:LEAH.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

The sites that Rescator and friends have set up are an arcology on the internet for underground (almost) carding forums. As at the top of the page (see maltego map) you can see that they all can be connected together either by registration data or links to one another to and from their domains. One interesting bit is the fact that a couple of the sites were registered our of the Seychelles by “Jeremiah Heisenberg” which has a checkered past with sites ranging from online poker for bitcoins to outright scams including takedown notices from MPAA. It seems that perhaps the nearest thing to a real financial entity that can be found in the intelligence gathering I did today was this company (likely a shell company) that could be a means to an end in laundering funds and cleaning them. As to whether or not Rescator and the others are a part in this or are just the mules (so to speak) is the question I still have and it will take more looking to see. In the end though this constellation of sites and their spidering out to many many others both on and off of the darkweb is the primary means for volume trafficking in stolen credit data and PII as well as bank accounts and access to financial institutions. In other words, a real and credible threat.

THREAT INTELLIGENCE AND ANALYSIS:

I have been looking into these sites and the players for a little while now and I have to say that with the lack of OPSEC I would think they would be easy targets for takedown. What has been bothering me now since I started this Odyssey is that companies like Target as well as the banks out there lack any true intelligence gathering apparatus to actually monitor these sites and get insight into what is happening. Ok, I know this may sound a little out there to some and that I am asking for companies and banks specifically to have working intelligence apparatus but really, isn’t that the only real way to have a fighting chance here? Had the banks or some firms out there been doing what Krebs has been doing perhaps this attack would have been at least prepared for a little bit if not stopped due to intelligence gathering from these fairly open sites? My analysis that stemmed from about a day’s worth of looking backstops Krebs data and even goes further and really, I did not put all that much time into it. Imagine what could be done with the proper analysis and heads up on such POS malware as was plainly for sale and talked about in these forums?

It will be some time until the Target kerfuffles dust has settled but I would like to advocate more HUMINT and OSINT like Krebs has been doing by analysts either selling this as a service or perhaps in house operations that at the very least can spend some time Googling or using Maltego to determine just what is happening out there in these not nearly opaque bulletin boards. As I write this though I am wondering whether or not the simplest answer here is that the banks just don’t care because in the end the costs will circle back to the clients in the form of fee’s. This reasoning serves the cognitive dissonance within the financial sector that says it’s not their fault, it’s not your fault, but hell there is nothing we can do about it. I should think that more proactive approaches to anti-fraud methodologies might be better but who knows what they are thinking. Overall this kind of crime will continue both big and small because the companies make it easy for the criminals to hack them (bad passwords and processes etc) as well as the lackadaisical leze fair  attitude on the part of the credit corporations and banks persist. The real loser though will be the client who has to deal with bad credit through identity theft, loss of funds that may or may not be guaranteed, and generally being the product for sale by these miscreants.

K.

Written by Krypt3ia

2014/01/20 at 21:53

3 Responses

Subscribe to comments with RSS.

  1. And the step after private intelligence collection is, of course, private response using private para-LE or sanctioned LE actions. One step closer to dystopia. What an interesting bed we’re making.

    cinemarriage

    2014/01/20 at 22:12

  2. We are the reason we can’t have nice things.

    Krypt3ia

    2014/01/20 at 23:28

  3. I think the reality is that this type of work is still too advanced for most companies to stomach. Target was in the process of downsizing their security program, so they obviously weren’t about to stand up some new intel arm. Companies that do perform some of this work for their clients are extremely expensive, and the source and techniques of acquiring the information (even at a high level) are not communicated. And finally, any boutique firm that is looking to offer this as a service (which would be both fun and potentially effective for the clients) is going to face the problem of looking like an extortionist during the sales pitch.

    Kevin

    2014/02/20 at 21:50


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: