Subway hack wasn't fresh

The tools used in a recent Subway card skimming operation are widely available on the internet for anyone willing to take the risks.

According to Dave Marcus, director of security research and communications at McAfee Labs, the poor security measures present in small businesses and their reliance on common, inexpensive software packages made them easy pickings for large-scale scams.

indictment unsealed in the US DistrictCourt of New Hampshire on 8 December alleged that hackers gathered the credit and debit card data from more than 80,000 victims.

Four Romanian nationals remotely accessed point-of-sale systems of 150 Subway sandwich shops and 50 unnamed retailers.

The men are alleged to have scanned the internet to identify point-of-sale terminals that used certain remote desktop software applications, and then gained unauthorised access to them by guessing or 'brute forcing' passwords.

However, the indictment claimed that the methods used by the attackers were hardly sophisticated, as the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them.

The software provided a ready-made back door for the hackers to gain entry to the point-of-sale systems; the applications used by these retailers clearly did not have two-factor authentication.

The Justice Department alleged that the hackers gained access to the remote desktop software by guessing or cracking the passwords they were configured with.

Once they were in, the hackers deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems, such as credit card scans.

They also installed the xp.exe Trojan onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware and prevent any security software updates.

The hackers are also alleged to have periodically rounded up the dumped transaction data and moved it to file transfer site sendspace.com, which said that it co-operated with the FBI in the investigation of the hack.

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines, while the rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

Subway declined to discuss the measures taken as "we don't want to give away the blueprint" to other potential attackers, and said Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

This article originally appeared at scmagazineuk.com