Application Security // Database Security
10/14/2011
05:00 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Largest Credit-Card Fraud Ring Bust Should Validate DAM, SIEM Work

Case shows how stolen credit- card numbers fuel real crimes

The credit-card fraud ring busts announced last week by the Queens County District Attorney (DA) gave the IT security world a reason to both cheer and redouble its efforts to thwart the theft of database information. In a world where most cybercriminals run little risk of getting caught, security experts are happy to see so many criminals netted in one fell swoop. At the same time, these bad guys' exploits offer a lesson about how the dispassionate crime of raiding corporate databases for financial information turns into something that affects real people's bank and credit accounts.

"Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years,” said Queens DA Richard A. Brown.

Using credit-card numbers provided by a loose network of overseas criminal syndicates, online black market dealers, and skimmers, the 110 crooks indicted by the authorities were allegedly able to set up a system to clone cards and engage in spending sprees and wholesale fencing operations that stole more than $13 million in goods and services. The Queens DA office said that with the New York Police Department, it was able to unravel five different crime rings with different bosses but an interwoven patchwork of common fake card manufacturers, shoppers, fencers and more.

“This is by far the largest -- and certainly among the most sophisticated -- identity theft/credit-card fraud cases that law enforcement has come across,” Brown said.

All of the moving parts and sophistication of organization used by the criminals in these rings illustrate what happens once the criminal element is able to infiltrate a database to steal credit-card and other financial information. Many of the crimes perpetrated by the indicted in this case were fueled not only by skimmers, but also by international and local suppliers who had already done the hacking work to compile lists of stolen card numbers.

"The materials were alleged to have come from overseas -- unknown individuals in such places as Russia, Libya, Lebanon, and China -- or from statewide suppliers, such individuals who worked in a restaurant or bar, retail store, or financial institution and used a skimming device to swipe a consumer’s credit card information or who obtained credit card accounts through illegal web sites," the Queens DA office said in a statement about the case.

According to Josh Shaul, CTO of Application Security, Inc., the ready availability of these numbers should make organizations think more seriously about monitoring database activity.

"Outsiders are the new breed of insiders; there's just so many ways an outsider can get into the database, whether it's through SQL injection vulnerabilities in a website or by loading up malware on somebody's laptop or some other endpoint," Shaul says. "It has become almost trivial for an attacker to find some position on the inside of a target network and start working from there, and once they find hat chink in the armor, that lets them get in. They may not be an authorized user, but they're just as much an insider as anyone else on the network. And so from that respect, I feel like monitoring your data, the stuff you really care about is critical."

According to some, this case also bears some lessons on keeping better tabs on insiders to look for malicious behavior and to better correlate events to look for patterns of a wider ring of fraud across multiple users and events.

"In general, I think that this points at the very interesting area of data correlation, specifically in the work done through security information and event management and behavioral analysis systems," says Phil Lieberman, president of Lieberman Software. "It is a second-order goal. The first order is detecting the fraud. The second order is tying together who all the players are."

In this recent case, some of the fraud-ring bosses tapped inside employees within retail or banking establishments to use their account access to find out which stolen credit card offered the best opportunity for high value theft. And one even paid an attorney in designer shoes to advise on how to carry out his thieving ways and avoid detection. Clearly, the faster an organization can detect employees on the inside working for a criminal element, the less damage will be wrought in these cases. That means keeping better tabs on how they are looking up database information across multiple applications and systems.

"So folks have got to be monitoring access to their sensitive and valuable data, and they've got to make sure that all of the access that they see is legitimate," Shaul says, "which means not just turning on some system to monitor access, but looking at the access that's actually there and doing something about the suspicious, malicious, and the anomalous."

This has been increasingly a focus for SIEM vendors of late, says Joe Gottlieb, CEO for SIEM vendor SenSage.

"Nowadays it is about actually looking at the identity of the user, what other identities that user has, what other permissions and systems that user has, and what systems they show up on," he says. "All of that is context now for the types of insider threats that we have to protect against and some of the collusions, potentially, between insiders and outsiders."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web