Application Security // Database Security
10/14/2011
05:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Largest Credit-Card Fraud Ring Bust Should Validate DAM, SIEM Work

Case shows how stolen credit- card numbers fuel real crimes

The credit-card fraud ring busts announced last week by the Queens County District Attorney (DA) gave the IT security world a reason to both cheer and redouble its efforts to thwart the theft of database information. In a world where most cybercriminals run little risk of getting caught, security experts are happy to see so many criminals netted in one fell swoop. At the same time, these bad guys' exploits offer a lesson about how the dispassionate crime of raiding corporate databases for financial information turns into something that affects real people's bank and credit accounts.

"Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years,” said Queens DA Richard A. Brown.

Using credit-card numbers provided by a loose network of overseas criminal syndicates, online black market dealers, and skimmers, the 110 crooks indicted by the authorities were allegedly able to set up a system to clone cards and engage in spending sprees and wholesale fencing operations that stole more than $13 million in goods and services. The Queens DA office said that with the New York Police Department, it was able to unravel five different crime rings with different bosses but an interwoven patchwork of common fake card manufacturers, shoppers, fencers and more.

“This is by far the largest -- and certainly among the most sophisticated -- identity theft/credit-card fraud cases that law enforcement has come across,” Brown said.

All of the moving parts and sophistication of organization used by the criminals in these rings illustrate what happens once the criminal element is able to infiltrate a database to steal credit-card and other financial information. Many of the crimes perpetrated by the indicted in this case were fueled not only by skimmers, but also by international and local suppliers who had already done the hacking work to compile lists of stolen card numbers.

"The materials were alleged to have come from overseas -- unknown individuals in such places as Russia, Libya, Lebanon, and China -- or from statewide suppliers, such individuals who worked in a restaurant or bar, retail store, or financial institution and used a skimming device to swipe a consumer’s credit card information or who obtained credit card accounts through illegal web sites," the Queens DA office said in a statement about the case.

According to Josh Shaul, CTO of Application Security, Inc., the ready availability of these numbers should make organizations think more seriously about monitoring database activity.

"Outsiders are the new breed of insiders; there's just so many ways an outsider can get into the database, whether it's through SQL injection vulnerabilities in a website or by loading up malware on somebody's laptop or some other endpoint," Shaul says. "It has become almost trivial for an attacker to find some position on the inside of a target network and start working from there, and once they find hat chink in the armor, that lets them get in. They may not be an authorized user, but they're just as much an insider as anyone else on the network. And so from that respect, I feel like monitoring your data, the stuff you really care about is critical."

According to some, this case also bears some lessons on keeping better tabs on insiders to look for malicious behavior and to better correlate events to look for patterns of a wider ring of fraud across multiple users and events.

"In general, I think that this points at the very interesting area of data correlation, specifically in the work done through security information and event management and behavioral analysis systems," says Phil Lieberman, president of Lieberman Software. "It is a second-order goal. The first order is detecting the fraud. The second order is tying together who all the players are."

In this recent case, some of the fraud-ring bosses tapped inside employees within retail or banking establishments to use their account access to find out which stolen credit card offered the best opportunity for high value theft. And one even paid an attorney in designer shoes to advise on how to carry out his thieving ways and avoid detection. Clearly, the faster an organization can detect employees on the inside working for a criminal element, the less damage will be wrought in these cases. That means keeping better tabs on how they are looking up database information across multiple applications and systems.

"So folks have got to be monitoring access to their sensitive and valuable data, and they've got to make sure that all of the access that they see is legitimate," Shaul says, "which means not just turning on some system to monitor access, but looking at the access that's actually there and doing something about the suspicious, malicious, and the anomalous."

This has been increasingly a focus for SIEM vendors of late, says Joe Gottlieb, CEO for SIEM vendor SenSage.

"Nowadays it is about actually looking at the identity of the user, what other identities that user has, what other permissions and systems that user has, and what systems they show up on," he says. "All of that is context now for the types of insider threats that we have to protect against and some of the collusions, potentially, between insiders and outsiders."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.