Romanian hackers busted with half a MILLION credit cards from Australia - how could THAT have happened?

Filed Under: Data loss, Featured, Law & order

The Australian Federal Police (AFP) are cock-a-hoop this week, announcing the bust of a gang of Romanian credit card hackers.

According to reports, 200 Romanian cops pounced on 36 locations, detained 16 people and ultimately arrested seven of them.

The carding crew had allegedly made off with half a million Aussie credit card numbers, racking up charges averaging more than $1000 each on 30,000 of them.

At this point, I'm sure you're thinking what I am. "Half a MILLION cards from Australia. And the crooks didn't even need to leave Romania. How could THAT have happened?"

The answer, according to the Australian cops, is RDP.

Remote Desktop Protocol - or Routine Darkside Probe, as we dubbed it in a recent article advising you on how to secure it - is Microsoft's solution for remote administration of your computers.

RDP effectively mirrors the screen and keyboard of a remote system on your local device.

Move the mouse in the RDP client, and it moves on the remote system. Pop up a software dialog on the remote system and the screen updates are mirrored on your local desktop. It's almost as good as being right there.

Leaving RDP open to the internet is therefore a little bit like giving a visitor a seat in the corner of your server room and saying, "I'll just leave you here while I go for lunch. Don't touch anything, will you?"

In this case, a bunch of small Aussie retailers were targeted. It's not clear whether the hacking took place via IT infrastructure they all shared (a so-called cloud), so that the crooks were able to penetrate everyone in one shot, or if each retailer was probed and hacked individually.

Once you've got an RDP connection to the inside of a network, you can run pretty much any software you like, even GUI-only applications that weren't built with remote control in mind.

It seems that's what the crooks did, running up the retailers' Point of Sale (PoS) software and retrieving credit card numbers already collected by the retailers' own payment devices.

We've written about skimming a couple of times recently.

That's where you add a covert credit card reader in front of a real one.

Any card swiped or inserted gets read in twice: once by your data-siphon and once by the genuine device. Loosely speaking, you steal the card data individually from each card.

In this hack, the hackers didn't even need a skimmer. They let the official card reading devices handle that job, and stole the credit card data in bulk - straight from the horse's stomach, if you don't mind mixing your mixed metaphors.

The problem with this sort of hack is that there is very little consumers can do to protect themselves.

All the advice you'll hear about choosing decent passwords, wiggling the card slot to look for tampering, and avoiding phishing emails that invite you to initiate an on-line transaction? Those won't help here.

You can do everything right, but if your retailer - or your retailer's IT provider - does the wrong thing, invisibly to you somewhere in the back of the network, you may never know until it's too late.

(That, my friends, is why we need mandatory breach disclosure laws: so you can keep current with what's happened to your personally identifiable information.)

The take-aways from this story?

• If you're a cybercrook, the fact that you're sitting far away in a different jurisdiction makes it tougher for the cops to nab you. But not impossible!

• Don't leave RDP open across the internet. It ends in tears, for you and your customers.

Fancy using the free Sophos UTM Home Edition?

You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.

Yes, it can help you do RDP safely. so turn that spare PC into a full-on network security appliance!

(Note: registration required.)

, , , , , ,

You might like

7 Responses to Romanian hackers busted with half a MILLION credit cards from Australia - how could THAT have happened?

  1. Nima · 641 days ago

    "That, my friends, is why we need mandatory breach disclosure laws: so you can keep current with what's happened to your personally identifiable information."

    Could not agree more with that. Companies are too quite about these sort of things and in most cases, customers never even find out until its too late and then they still dont know where it came from.

    • Alex B · 638 days ago

      A minor issue with this requirement is that these small retailers need to actually know they've been breached in order to disclose. In the vast majority of cases such as these, the owner of the compromised systems knows nothing about any theft until someone else discovers it.

  2. Gerry O'Kane · 641 days ago

    Not just Australia check this out: http://swns.com/news/romanian-cash-machine-frauds...

  3. snert · 640 days ago

    The unmitigated audacity of that group! What? They just walked in and picked up money left lying about? Near enough.

  4. Zak · 640 days ago

    Has it been considered that it wasn't a careless IT company and in fact the person in charge of securing the network was bribed? Or worse... Blackmailed? Or could even be a member of the gang who went to Australia with the purpose of getting a job in IT... Playing the long con!

    Such possibilities make it even harder to deal with

  5. Roy · 637 days ago

    You state: "Remote Desktop Protocol - or Routine Darkside Probe, as we dubbed it in a recent article advising you on how to secure it - is Microsoft's solution for remote administration of your computers.", but I can't find anything in that message which tells me how to secure RDP. I have to assume that my ZoneAlarm firewall is atill doing it's job.
    Or are they not getting past my DSL2 Modem?

    • Paul Ducklin · 636 days ago

      The suggestion in that article is fairly simple: don't let RDP through your firewall. Use some kind of strongly-authnenticated VPN connection and then allow RDP.

      As for whether your ZomeAlarm is working - check the logs. Are connections to port 3389 getting blocked?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog