Jason Glassberg is co-founder of Casaba Security, a “white hat” hacking firm that regularly analyzes new malware and hacking techniques used by criminal groups and tracks carding forums in the “dark net.” STORES contributing writer David Schulz spoke with Glassberg about his work and current activities among criminal hackers.
Why are retailers such popular targets for hackers?
To quote Willie Sutton, “Because that’s where the money is.”
That said, it’s important to distinguish between various “hacks,” such as phishing attacks, point-of-sale network breaches, network breaches and other criminal activity. Hacks are often, if not always, carried out by sophisticated groups. They require skill, malware and some knowledge of the buyer-seller system on the darknet.
Breaching a network is a much harder task, but as we’ve seen through countless reports in the press, it is happening quite often. For retailers, it can be difficult to prevent these attacks because there are multiple ways the attacker may seek to exploit them — from hitting individual store networks to the main corporate network, payment card processors, online payment processes, phishing individual employees or executives.
The primary disadvantage for a retailer as opposed to many other companies is that a retailer has a much larger footprint. Stores are miles if not states apart, which makes it harder to manage IT security consistency, auditing, software updates and patching and vulnerability tests.
In terms of anti-hacking defenses, how do U.S. retailers rate versus their European and Asian counterparts?
U.S. retailers have been at a disadvantage for many years because of the U.S. commitment to magnetic strip cards, instead of the more secure smart chip cards which other countries adopted a long time ago. Card issuers have finally switched U.S. consumers to chip cards.
However, when it comes to network security, I would say U.S. retailers are at approximately the same level as companies in Europe and do a bit better than their counterparts in Asia.
What can you tell us about Fin7, the hacking operation recently broken up by authorities?
Fin7 was a sophisticated cybercriminal group that specialized in point-of-sale and phishing hacks. The hackers themselves were from the Ukraine and possibly other Eastern European countries. They had the ability to create very sophisticated phishing campaigns and adapt/customize malware.
They were patient and determined. When they hit a retailer, they not only tried to “cash out” by stealing card numbers, but they also looked for ways to embed themselves in the network so they could return to it again and again, even after a security response to a detected breach.
How do groups like Fin7 differ from lone wolf techies amusing themselves by hacking into systems just for the challenge of it?
I’m glad you asked that. There are a lot of myths about hackers that persist to this day. Hackers who target big companies hardly ever work alone. They are usually part of a group of some kind because it is difficult to target a corporation, whether it’s Macy’s, The Home Depot, Arby’s, what have you. Different skill sets are required.
For instance, one person may be really good at malware design. Another might be skilled at Windows exploits. Another has experience with point-of-sale systems because he used to be a security engineer for a POS or retail company. It makes sense to work together, and the darknet makes this a lot easier to accomplish as it provides a good place for hackers to network and build relationships.
You said Fin7 specialized in POS attacks. How were they doing this?
They focused on this sector because it’s an easy way to make money, selling personally identifiable information in the darknet. They did it by conducting online surveillance, probably vulnerability scans as well, and using well-crafted and targeted phishing emails combined with phone calls as “air support” to boost the click rate and customized malware. They also knew how to gain persistence on a network, and then had the know-how to sell on the black market.
Can you go into a little more detail on “persistent malware”?
The basic idea with persistent malware is that it keeps the hacker on the network for a prolonged period of time, either by staying under the radar or by surviving cleanup efforts by security teams after the initial breach is detected.
There are a lot of ways a hacker can do this, ranging from utilizing less “noisy” malware techniques like fileless malware code injections, cryptors/packers and other signature obfuscation methods, to droppers/loaders that don’t do anything malicious — they just wait until some future date to install a malicious program— to anti-forensic, self-propagating worms that spread rapidly across networks, zero-day exploits and more.
It seems hacking is no longer a one-time event that lasts until it is detected, that hackers are now fighting to maintain access to hacked systems. Is this true?
For the sophisticated hacker, getting booted after a successful breach is just dumb. Remember, it takes time, money and effort to breach a major network. As an attacker, you have to find some vulnerability in the system that lets you get inside. Nation-states are masters at the persistence game, and cybercriminals are no different — if you can get in and stay in, your potential haul will be bigger.
There’s another issue related to this that retailers need to be cognizant of. Increasingly, hackers will use one clumsy, noisy attack to divert attention away from another stealthier, more substantial hack. For example, [attacking]the phone system or defacing the website to draw the security team’s attention away, then they slip in through a network vulnerability and quickly try to migrate into a sensitive area.
How can retail incident response teams keep up with hackers?
They need to evolve to the threat. Right now, incident response is largely stuck in 2000s mode. Companies still think of hacking as a “one-time event,” as you said. They think of it as a static event that isn’t morphing all the time and escalating rapidly. They don’t think about persistence. They don’t think about diversionary tactics. They don’t think about destructive attacks — and that’s another thing here that retailers, in particular, need to start considering.
Retailers also need to be more active in the threat intelligence field — information sharing. They should deploy threat hunter teams to track and monitor various high-risk groups and active darknet forums. They also need to go beyond the standard payment card industry audit — robust penetration tests are vital to determining just how exposed and vulnerable a retailer’s very large footprint, both virtual and physical, actually is.
How extensive are darknet operations?
They are often very extensive. The darknet has made it possible for an unprecedented scale and range of coordination between disparate criminals and criminal groups across the globe. A hacking team in Ukraine could conceivably work with a cash-out operation in Mexico. Malware developers in Russia could work with a POS team in the U.S.
The darknet makes it possible for hackers to find each other, to recruit experts and teams for specific goals, and to sell their booty at market prices. At the same time organized crime is increasingly taking over parts of the cybercrime industry, and they bring to that their own well-established networks and their sophisticated sense of management and structure.
When it comes to POS hacks, think of it as a business ecosystem: You have a group that designs the malware or other hacking tools (exploit kits, botnets, IP hosts, etc.) and sells it to the hacking team; you have the hacking team, a group that is good at breaching a retail network (usually by phishing, sometimes through more advanced means like finding a network vulnerability); then you have the PII distributors, the ones who run the online carding forums, which are sometimes independent operators and sometimes tied directly to the POS team. Then you have the cash-out teams, which are also sometimes part of the original POS group and sometimes independent operators.
Fin7 used project management software to keep track of its diverse hacking operations. How sophisticated is that?
It shows a level of organization and management that we don’t often see with cybercriminal groups, but it’s not the most impressive thing about them, in my opinion. They basically ran a large vertical organization in the POS theft market, hitting all the big retail and restaurant names you can think of.
They had a front security company and may have even used it as a way into corporations. They created their own malware and kits. They achieved persistence on well-protected corporate networks. They were even beginning to target the Securities and Exchange Commission, which means they were probably planning to expand into pump-and-dump and other stock manipulation schemes.