Romanian hackers busted with half a MILLION credit cards from Australia – how could THAT have happened?

The Australian Federal Police (AFP) are cock-a-hoop this week, announcing the bust of a gang of Romanian credit card hackers.

According to reports, 200 Romanian cops pounced on 36 locations, detained 16 people and ultimately arrested seven of them.

The carding crew had allegedly made off with half a million Aussie credit card numbers, racking up charges averaging more than $1000 each on 30,000 of them.

At this point, I’m sure you’re thinking what I am. “Half a MILLION cards from Australia. And the crooks didn’t even need to leave Romania. How could THAT have happened?”

The answer, according to the Australian cops, is RDP.

Remote Desktop Protocol – or Routine Darkside Probe, as we dubbed it in a recent article advising you on how to secure it – is Microsoft’s solution for remote administration of your computers.

RDP effectively mirrors the screen and keyboard of a remote system on your local device.

Move the mouse in the RDP client, and it moves on the remote system. Pop up a software dialog on the remote system and the screen updates are mirrored on your local desktop. It’s almost as good as being right there.

Leaving RDP open to the internet is therefore a little bit like giving a visitor a seat in the corner of your server room and saying, “I’ll just leave you here while I go for lunch. Don’t touch anything, will you?”

In this case, a bunch of small Aussie retailers were targeted. It’s not clear whether the hacking took place via IT infrastructure they all shared (a so-called cloud), so that the crooks were able to penetrate everyone in one shot, or if each retailer was probed and hacked individually.

Once you’ve got an RDP connection to the inside of a network, you can run pretty much any software you like, even GUI-only applications that weren’t built with remote control in mind.

It seems that’s what the crooks did, running up the retailers’ Point of Sale (PoS) software and retrieving credit card numbers already collected by the retailers’ own payment devices.

We’ve written about skimming a couple of times recently.

That’s where you add a covert credit card reader in front of a real one.

Any card swiped or inserted gets read in twice: once by your data-siphon and once by the genuine device. Loosely speaking, you steal the card data individually from each card.

In this hack, the hackers didn’t even need a skimmer. They let the official card reading devices handle that job, and stole the credit card data in bulk – straight from the horse’s stomach, if you don’t mind mixing your mixed metaphors.

The problem with this sort of hack is that there is very little consumers can do to protect themselves.

All the advice you’ll hear about choosing decent passwords, wiggling the card slot to look for tampering, and avoiding phishing emails that invite you to initiate an on-line transaction? Those won’t help here.

You can do everything right, but if your retailer – or your retailer’s IT provider – does the wrong thing, invisibly to you somewhere in the back of the network, you may never know until it’s too late.

(That, my friends, is why we need mandatory breach disclosure laws: so you can keep current with what’s happened to your personally identifiable information.)

The take-aways from this story?

• If you’re a cybercrook, the fact that you’re sitting far away in a different jurisdiction makes it tougher for the cops to nab you. But not impossible!

• Don’t leave RDP open across the internet. It ends in tears, for you and your customers.

Fancy using the free Sophos UTM Home Edition?

You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.

Yes, it can help you do RDP safely. so turn that spare PC into a full-on network security appliance!

(Note: registration required.)