Global Payments, an Atlanta-based payment card processing firm, announced yesterday that they had suffered "unauthorized access into a portion of its processing system”. Sometime in early March they uncovered the attack, and there are some indications that the breach occurred between January 21st and February 25th of this year.
At the moment there is very little public information relating to the nature of the breach, merely that the details of an estimated 10,000,000 cards (track 1 and track 2 — effectively what's needed to clone physical cards) have been slurped by the attacker(s). Global Payments will be holding a conference call Monday, April 2, 2012 at 8:00 AM EDT. Personally, I'm not expecting much in the way of additional information concerning the method and vectors of the breach to be discussed — but would expect a lot about what they've done to reduce fraudulent use of the stolen card details.
There are a number of unverified reports that a New York City street gang with Central American ties took control of "an administrative account that was not protected sufficiently". Hopefully a little more light will be shed over the following days as to the nature of the breach — less so for closing the case at Global Payments, but more for others to learn from and to not repeat these kinds of mistakes.
When it comes to breaches like this — as in attacks that appear to target large organizations that hold large volumes of easily sellable data in the digital underground — the three most common vectors from my experience are the following:
For organizations likely to suffer from such targeted breaches (whether or not the initial breach was due to an opportunistic or non-targeted infection vector), there are obviously a myriad of technologies and tactics that can be implemented (any typically are) to timely identify and limit the loss from a breach. Some of the most successful approaches I've seen in recent years are the following:
Hopefully most organizations are aware that modern crimeware rarely comes through the front door in an easily inspectable form. Even insider threats have found it increasingly advantageous to use their own crimeware as a method of remotely accessing devices within the targeted organization and transporting the stolen data out. As such there is a need to identify egress traffic associated with crimeware and to instrument the organization to detect canary data records and administrative accounts.
With a bit of luck we'll get more insight to the Global Payments breach over the coming weeks. However, I suspect that it's going to be the same old story again. The cybercriminals have better tools than their victims and are more agile in their deployment and use.
By Gunter Ollmann, Chief Security Officer at Vectra
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines