Credit card crooks

What identity thieves are seeking is money, of course. But those who broker in stolen credit cards also are strongly motivated by status.

What identity thieves are seeking is money, of course. But those who broker in stolen credit cards also are strongly motivated by status, says Dan Clements, CEO of CardCops.com , a credit card protection service agency that scours the Internet for compromised credit card and personal data and reports it to victims and banks.

“Carders would love to root servers at e-commerce sites and own them, especially when credit cards are sitting there unencrypted,” Clements says. “Then they post them to carder Web sites and say, ‘Hey, rate me.’ The better your rating, the better your trading privileges.”

Increasingly, carders are part of organized crime rings mostly from former Soviet Union states, Kilger says. In these cases, after the cards are used to purchase expensive items, they’re posted at carder sites to obscure their usage patterns and therefore confuse investigators.

Attackers going after e-commerce sites also indiscriminately look for the weakest security . “I call these ‘targeted victim attacks.’ They gain root with the specific intent to steal something,” C&W’s Neal says. “I would expect the pattern of intrusion activity to be similar to a ‘target of opportunity’ attack.”

Such an opportunity presented itself in January 2002 to a carder who had rooted at least one server at an e-commerce hosting provider. The case began to unfold in September, when CardCops investigators culled some 60 invoices (complete with purchaser’s names, addresses and phone numbers) off Carderplanet.com, a carder Web site since removed.

“We noticed that the invoice numbers had the same long-digit formats. So we started calling the consumers whose card numbers, phone numbers and addresses were on the invoices. We asked them where they shopped. We were able to trace them all back to several merchants at a single hosting provider called Serve.com (since renamed as Datarealm).

PATTERNS OF BEHAVIOUR Profile 2: CREDIT CARD CROOKS • Act quickly and precisely to make their activities harder to detect. • Exploit perimeter through vulnerable ports, services and buffer overflows. • Use Trojan horses (hidden software) to leave back doors for re-entry. • Use sniffers to capture passwords. • Stick around until noticed. • Make few or no mistakes. COUNTER MEASURES For SELF-SUPPORTING e-commerce sites: • Spend resources protecting that which is most valuable (the customer database). • Encrypt credit cards in databases. For SELF-SUPPORTING e-commerce sites: • Contractually bind your hosting service to conduct quarterly vulnerability assessments. • Don’t collocate. Use a dedicated server. • Purchase extra security options.

When he called the merchants whose invoices were heisted, they complained that they’d suspected problems for months because cards were approved at the time of purchase, but then declined two weeks later when they rechecked the cards before shipping backorders.

Clements e-mailed Serve.com’s system administrator, who attributed the problem to a flaw in the shopping cart software that affected only 24 of Serve.com’s 4,000 e-commerce clients. Then in November, a skin care merchant hosted at Serve.com found an alteration to her directory – a page added on Jan. 23, 2003, titled “index.old.” She clicked on the page that read, “MuShrooM said That No RedeFace (sic) ! ! nitr0x Ownz serve.com …lol.”

Clients of Serve.com, along with its CEO and systems administrator, didn’t return Network World’s calls about the incident, so details are not forthcoming as to how the carder gained root.

However, Neal surmises that once the perimeter is exploited, carders act more professionally because they don’t want to be caught (see graphic, above.)

Main | Next: Profile 3: Filching Files from Within