SQL injection botnets now used for large-scale fraud
By Asavin Wattanajantra in Editorial
Posted in botnet, fraud, RSA on
In my last blog I wrote about how SQL injection attacks were used in the case in America where 130 million debit and credit card details were stolen.
To make things a little bit more clearer, SQL injection attacks are where an hacker attacks the database of a website and executes unauthorised commands by taking advantage of insecure code.
Albert Gonzales and others were alleged to have used this technique after researching their payment processing systems.
I asked RSA security expert Uri Rivner by email about how they would have used it to get such a large number of card numbers.
He said: “The SQL self-expanding botnet was a stroke of breakthrough creativity, and I’d say its timing was just right for the fraud community.
“In the past couple of years, Trojans - once the tools of the very savvy high end of cyber crime - have become cheaper and easier to use, but there was one thing missing: scale.
“In order to really capitalise on Trojan technology, fraudsters had to look for ways to distribute their malware to a huge amount of victims.”
He said that criminals now had the scalability they needed, and used the example of a mammoth phishing operation called RockPhish that had a change of heart and migrated to Asprox - an SQL injection botnet.
Not yet rated
Loading ...
130 million card numbers were stolen by SQL injection
By Asavin Wattanajantra in Editorial
We’ve already covered the ‘largest identity hack’ case in some depth, but here are a few more details of the hack that comes from the press release issued by the Department of Justice (DOJ).
According to the information given, the conspirators used a ‘SQL injection technique’, which it said “seeks to exploit computer networks by finding a way around the network’s firewall to steal credit card information”.
We’ve covered a number of stories about SQL injections before, but never anything on this kind of scale financially. It’ll be interesting to see what other details emerge about the technical aspects of the attack.
Not yet rated
Loading ...
Dark Market and the downfall of an online fraudster
By Asavin Wattanajantra in Editorial
Posted in online fraudster, criminals, card skimmers, fraud, financial on
RSA has pointed me out to this blog post that offers some previously undisclosed information about one of the members of Dark Market, a forum which involved criminals buying and selling credit card data and was shut down by law enforcement.
It shows that although it might be easy to make money as an online fraudster, the law was maybe beginning to catch up on the problem thanks to intelligent detective work.
Chao, real name Cagatay Evyapan, was behind a group called the ‘Crime Enforcers’ - an assembly line of ATM and Point of Sale card skimmers. RSA’s Uri Rivner said that he climbed the ladder of the criminal underground, and that point became a name that all cyber criminals recognised.
Rivner says that Chao stood out as an ‘exceptional’ online fraudster - he even created instructional videos explaining how to install ATM skimming devices he built and sold.
Instruction video on using ATM skimming devices.
How Chao was caught
Chao was caught through the Dark Market operation as a moderator. Using undercover tactics, FBI agent Keith Mularski pretended he was a fraudster using the handle ‘Master Splynter’.
He was found in Turkey thanks to the Turkish National Police cooperating with several law enforcement agencies around the world, including the FBI. The police found him due to one weak link in the chain - he needed to ship thousands of ATM skimmers around the world.
Thanks to discussions with international shipping companies, it led to the pinpointing of Chao’s whereabouts. They located Chao on the outskirts of Istanbul, put him under surveillance and found his apartment being used as a huge assembly line for card skimming devices.
Seven ‘Crime Enforcers’ were arrested, including people helping him with the manufacturing and his cashier.
The result of the raid
The Turkish police found 1,000 ATM skimming devices, 2000 fake PIN pads, and a large amount of fake Point of Sale devices - the ones you use in restaurants.
Rivner said that a single ATM skimmer could record one hundred withdrawals a day - using a ‘conservative’ estimate of $1,000 per compromised card that is potential damage of 100 million dollars a day.
If it takes ten days for the device to be discovered that’s a potential one billion dollars of potential fraud.
So the rewards are great - but as Chao’s arrest shows, maybe there is light at the end of tunnel thanks to worldwide law enforcement cooperation.
But as Uri says, as soon as Chao was caught, other have taken his place.
Not yet rated
Loading ...
Tag cloud
Most commented posts
- Ten reasons why people are leaving MySpace
42 comments
- My Michael Jackson blog post
- Ten reasons why World of Warcraft is better than Second Life
- Facebook user arrested for poking somebody
- What should the staff writer have as his smartphone?
- Twitter didn't actually get hacked - Google did
- Microsoft sues firm for instant messaging spam
- Joining the sheep - I'm getting an iPhone
- Beware of hacked Facebook applications
- Reporting internet child abuse
Highest Rated Blog Posts
- Ten tips to avoid your satnav driving you over a cliff (100%)
- Does unfiltered internet 'disturb children'? (100%)
- The brain-controlled laptop computer (100%)
- Why Twitter is a better news tool than Digg (100%)
- Apple and its obsession with secrecy (100%)
- Twitter isn't for teenagers? It's common sense. (100%)
- Farming and becoming a Godfather with Facebook (100%)
- Orange and the iPhone - competition is a good thing (100%)
- Bendy phones straight out of the future (93.4%)
- How Pirate Bay sticks two fingers up at the industry (80%)
