130 Million Credit Cards and the Insider Threat

The Department of Justice in San Francisco released a number of interesting details today in their indictment of Albert Gonzales, a former informant for the Secret Service already in custody.

In brief, the largest and most sophisticated breaches of credit-card data are now being tied to a relatively small group with special knowledge.

Gonzalez was a Secret Service informant who once went by the nick “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office.

That undercover operation, known as “Operation Firewall,” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami, Florida, where he resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” while being ignorant of the fact that he was their old informant.

Gonzales learned from helping take down the Shadowcrew. You might even say it helped him eliminate his competition as he then set out to run a new criminal operation that evaded the Secret Service and befuddled investigators.

Gonzalez, in the proud tradition of federal informants dating back to the Mafia crackdowns of the 1970s, was already an informant for the U.S. Secret Service when the retail war-driving scheme hatched, and he’s accused of using his inside knowledge of prosecutions to steer select underground allies clear of trouble.

His success also was in no small part due to help from others who trained and worked with security operations. We saw already, for example, that a former employee of Qualys and close friend of Gonzales named Stephen Watt wrote software called “blabla” and modified it at Gonzales’ request to sniff card data. Watt’s name appeared after Gonzales was arrested and charged in August of 2008 with attacking TJX, OfficeMax, Dave & Busters, BJ’s Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Gonzales, also known as “j4guar17” and “soupnazi” ran his operation from Miami. He amassed $1.6 million in a bank account and supposedly was awash in cash. He will go on trial next year for that set of breaches but today’s indictment ties him to the latest 7-Eleven, Heartland and Hannaford incidents with connections to new and different co-conspirators.

The description of this as an “insider” threat seems to center around the use of security knowledge, rather than any true insider role by the attackers. The group apparently did not have anyone actually working as an employee of the breached targets. Instead they used known weaknesses in wireless security, as well as databases (SQL injection), to remotely access the targets. They then installed programs specifically designed to evade the top 30 antivirus vendors, dumped card data, and then erased their tracks. Those four steps combined are what everyone will be calling a highly sophisticated attack. Any one of the steps alone is in fact sophisticated, but to put them all together and run an invisible operation for many months across multiple sites is why the “insider” label is likely to be applied. Nonetheless, I would argue this neither diminishes compliance regulations nor suggests that defense against attack is impossible.

Plausable Deniability brought up this line of thinking last year. They asked the usual questions about how one should ever hope to find a dedicated attack when it is based on specialized and sophisticated knowledge.

Is it unnerving that malware was designed and tested by the Gonzales’ operation to escape detection by the top 30 antivirus vendors? I say no. We have known for a very long time that antivirus software is limited in its ability. That is why it is not the one and only security control required for compliance.

Other controls such as a properly managed firewall and code reviews are also required. I have discussed this in detail in my top ten breaches presentation. There are at least five and maybe six distinct steps that could have tripped a security team in the Hannaford case, completely outside the role of antivirus. Note that major antivirus vendor McAfee recently released a “Virtual Criminology Report” and Symantec has published a “Report on the Underground Economy”.

I believe this is recognition of the fact that while antivirus software might catch a lot of bad code for known vulnerabilities it is definitely not the answer to cybercrime or emerging threats. These reports thus start to scratch the surface of social and economic factors that play into security and antivirus management with a nod to traditional anti-fraud concepts as well as law enforcement response techniques. Fighting cybercrime, as any of your local law enforcement officers will tell you, is not just about holes and patches and it is not just for techies anymore.

That’s it for now. I will put together a webcast with much greater detail on the methods used in these cases, the success of PCI compliance, where threats are going and how to catch the next Gonzales. Hope you will have a chance to listen. Hint: a common theme of the emerging attacks, as discussed in my top ten breaches presentations, is communication among conspirators.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.