Casino Had 150,000 Credit Card Numbers Stolen Last Year
If you’re using networked computers, the chances are, at some point, you’re going to be vulnerable to a breach. Security professionals understand this best, but also understand that there are a lot of things one can do to prevent security breaches. When dealing with other people’s money and personal information, the onus to secure systems grows ten fold.
But according to FireEye, last year a breach of 150,000 credit cards took place at an unnamed casino. The attackers, who called themselves “Fin5,” had no trouble waltzing through the
underwhelming security measures in place. The casino’s payment systems were not even firewalled. There was no logging active, which would not necessarily have provided any details, but could
have if done properly. Remote logging, for instance, can sometimes alert system administrators regardless if an attacker destroys local logs on their way out or not. This would not have immediately yielded a culprit, but it could have been helpful to security investigators.
Emmanuel Jean-Georges of Mandiant told the Register yesterday that he’s investigated a total of 12 firms that have been victimized by “Fin5,” but believes there have been six others. He was specifically speaking to the Cyber Defence Summit in Washington, DC about this firm because their lack of security was outstanding. “It was a very flat network, single domain, with very limited access controls for access to payment systems,” he said.
Had this casino hotel operator had even minimal or basic protections in place like a firewall with default deny systems to limit access to PCI (payment) systems … it would have slowed down the attackers and hopefully set off red flags.
Barry Vangerik from FireEye said that at least two payment system providers have been hacked by “Fin5” and that they are subsequently targeting clients. Firms were warned to check the security of anything to which third-parties have access since the typical modus operandi of the group is to initially gain access with stolen credentials. A reset of all credentials would be a good start, but there are a number of other steps firms can take to further ensure security against “Fin5.”
“Fin5,” unlike many similar attack groups, is professional grade. They create their own hacking code, specifically tools they called “Driftwood,” which aids in the location of credit card data, along with “Turnhull” and “Flipside,” which are a backdoor and a persistent VPN service respectively. In some cases, black hats can make more money trafficking in such tools than they can use themselves. But in the case of “Fin5,” the group seems to have no trouble profiting with their own tools.
Vangerik noted that Driftwood is “incredibly well commented,” meaning that the code is explained very well using the comments function of its language. In programming, a comment can be a helpful way to explain to other programmers what’s going on in a particular block. And typically only commercially-funded software and very well organized open source projects.
The researchers noted for the audience that the casino had, after bringing in more than one computer security incident response team, implemented a number of security changes including two-factor authentication and system logging.
Images from Shutterstock.