No Honor Among Thieves: Card Skimming Gangs Turn on Each Other
As a callback to my blog about IoT malware authors turning on each other to compete for computing resources, this hilarious trend is also making its way into the credit card skimming underworld. Bone broth and neck thickening cream connoisseurs were disappointed to learn that Alex Jones’ InfoWars.com website had Magecart credit card stealing malware embedded in it. Similar effects were felt at high-profile targets such as British Airways (BA) and Ticketmaster where 380,000 and 40,000 customers respectively, trying to buy airline travel or concert tickets were subject to getting their payment details stolen. Although just a fraction of victims compared to the high-profile Target and Home Depot credit card breaches, the Magecart malware remained undetected for weeks despite all of the security controls in place at BA and Ticketmaster. Did these companies not learn from these attack campaigns? That begs the questions what and who is Magecart?
To take a step back, credit and debit card data is traditionally stolen by physical devices attached to Automatic Teller Machines (ATMs), gas pumps, and Point of Sales (POS) devices. These devices are placed over the actual credit card reader and captures the payment card details when a customer inserts his or her card into the legitimate reader. (Security pro tip: pull hard on the card reader at an ATM or gas pump. You may look dumb if you’re wrong, but card skimming devices are often not physically secured well and you may find one in the wild) This data is monetized by selling credit card numbers in bulk on underground websites (often only accessible through TOR, to protect anonymity) called carding forums. One such famous carding forum ShadowCrew, created by infamous hacker Albert Gonzales of TJX and Heartland Payments breach fame, features seller accounts, review capabilities, and how-to tutorials. A seller’s reputation and sales depend on providing high quality stolen data with a low number of invalid cards. If too many purchased cards are invalid, incomplete, or already cancelled, buyers will report negative feedback and that seller’s sales will drop.
Payment card theft, like compromising insecure IoT devices is a zero-sum game. If Group A compromises Acme Corporation’s website to steal payment card details from their customers, Group B compromising Acme’s website will get the exact same payment card information as Group A. When attempting to monetize these compromised payment card numbers by selling them on carding forums, the stolen payment card numbers will be worth significantly less since there will be duplicates and have a higher chance of being discovered and cancelled. It is in a group’s best interest to lock out other groups from stealing their stolen data to protect the integrity of the stolen data.
In the spirit that attacks never get worse, they only get better, Magecart and digital card skimming software will continue to proliferate and become more sophisticated. Citing macroeconomic factors with the drop in cryptocurrency prices, hacking groups are turning their attention to other low hanging fruit such as digital card skimming. Easy access to the malicious code only exacerbates the problem. According to Fortune, US Black Friday 2018 e-commence sales jumped 23.6% compared to 2017 making digital card skimming a target rich environment with an increasing total addressable market. Of note, almost 30% of US Black Friday 2018 sales were done from smartphone devices, which typically do not contain the same security controls as laptop and desktop PCs.
While from a security research perspective, it is hilarious to watch the drama unfolding as rival hacker groups compete with each other, we cannot simply "Give 'em guns step back watch 'em kill each other”, as famous lyricist Tupac Shakur once opined. Innocent customers are betting caught in the crossfire and at the end of the day, someone’s payment card details are being stolen and sold. In 2016, Identity theft and credit card fraud cost consumers, banks, insurers, and merchants over $16 billion in the US alone. Until companies are held more accountable to protecting their customers’ data by securing their systems and those of their reliant third parties, it’s up to the customers to keep their data safe.