>> hello My name is Weston Hecker, goodbye memory scraping malware. I'll go over the talk in great detail about some of the -- a concept, I'm not plugging any kind of software, proof of concept. F con lunch. Had trouble with internet connectivity, load everything up there, play around with it. I work for a company, KLJ, engineering company up north. Not the views of my employer. Yeah, who am I? What is this talk about? I spoke at DEFCON 22. A lot of computer certifications. I went for computer science in geophysics. So I've done pentesting professionally about 11 years. A lot of security research, in malware, things like that, so spoke at DEFCON 22 last year, on burner phone DDOS. Did anybody check that out? That was good times. We do a lot of auditing. I know lots -- I've read so many manuals it's not even funny. Wrote custom exploits for a lot of obscure ISP gear. Something that's neglected. A lot of people write exploits, they go for the 50,000 units, 500,000 units, so it's nice to be able to have -- exploits for more obscure gear. Anybody here do pentesting for a living? Yeah. It's really, really hard to find some of the exploits for some of the more obscure gear. Nice to have community going. Anybody have questions about that, feel free to throw out information for contact later on. The software I'm going over today, it was myself and a co-writer, Tim Schwartz, a concept we came up with. Got sick of hearing of breaches in the news. Something implemented correctly it could stop a lot of the breaches. So like I said, source code will be loaded on GitHub later today. Yeah, everything in -- as far as pentesting goes, banks, hospitals, you name it and actually off my talk last year, DHS contract over the next three years to attack 911 centers, so that is very good times to be had. So I did -- last year, you do pentesting, rubber duckies, an amazing thing. 10C3.0s, fake phone closures, teach -- tired of -- now I rock in HTC, Android hand set for that matter, and they're little -- keyboard, you can do drive by attacks, you can run stuff. It's very, very cool stuff. If you have any questions, how to build one, let me know. I'm going to get the demo started here, so we can see how it goes, as it progresses. So -- slides here for one moment. There we go. Anybody familiar with point of sale skimming software? Done any research on it or seen any other demonstrations? This is -- the only reason I used I, a black POS variance, very graphically nice to view, so -- and actually I have a command version of -- you'll be able to see all the console injection, so actually slowed it down, normally injects 500 cards per second into memory. Feeds the malware, fake credit card numbers. Going to show a little demonstration. The actual. This is not set up like a normal environment. Normally the POS does not have where the malicious data is being sent to, on the same system. Just for demonstration purposes, I'm sure everybody knew that. I had to get that out there from when I was telling somebody else about it. It's basically -- this is the actual place where the credit card numbers are sent, so all the stolen credit card information will be sent by post requests from the point of sale system to a server, but in this sense, both of them. Going to go over the dumps. We have 3100 track data already, so -- yeah, resolution is a little bit bad on that. These are basically a track one and track two data. This is where they start putting into credit card dumps on forms, validity rates, they'll do tests, stuff like that. This is the point where the bad guy is selling it. I'm going to go next into the actual software and what it's doing. So here's the actual installer. Console version. Graphically pretty. It looks like matrix stuff sliding down, and the graphic version, full blown application you can install, modify. Does a source code. As you can see right now, injecting track one and two. Randomly bins, bank identification numbers. We have special bins, designate I'm North Dakotaen, they look like valid credit card numbers, there are no open source bin lists so at this time we're basically injecting -- yeah, just injecting random generated credit card numbers. I'll go back to the slides. Desktop is one of our engagement photos. Nothing strange going on there. I forgot you would see that. Go back over to my slides. One second. Okay. Go to second slide, or third slide here. You all -- it's basically, source will be on GitHub pretty soon. Open source, once again I'm not trying to plug anything. Just proof of concept. Working on building into PMS, and -- I don't say why it wouldn't be in every single system eventually, and the problem, it's gotten large over the last few years. Literally can't turn on the news without hearing of a breach, it's gotten a little ridiculous over the years and that's kind of the reason Tim and myself came up with software, and yeah, why do people skim data? I think they're pretty obvious, and how much does it cost? Some of the credit cards, like validity rates, very, very low, nine out of ten will work type situation, and nine out of ten cards, $45 apiece and off of the bins, you can tell how much you could put on them. This is what nefarious people do, there are people who literally drive around the United States just buying pros, and selling them, whatever. That's basically where this industry comes, and with some of the firms, filter by the bins and things, recently, which is -- has made it a lot more dangerous. Say for example, somebody is trying to use my card down in Texas, North Dakota bin, get a call on cell phone, hey, did you try to do this? They'll block it. Scary people are able to filter by bins and it's something actually able to have more valid looking generated credit card data, so -- how much does it cost? As you can see, some of these ones are -- yeah, four and a half dollars up to -- I think the highest one, I have a script that does analytics for the data, and validity rates go down, affects price. Anywhere from four -- I've seen $3 up to 40, 150 for some of them, for the really big ones. And yeah, it's basically goes into a little bit how it's cost. How is it used to defraud? Anyone -- or -- Amazon, exactly. They're very, very easily obtainable, and that's one of the things, whenever I was telling people about, they'd ask about some software or whatever. It's very, very simple. There are tons of people that are going out and doing this stuff. I'm not endorsing. I'm letting people know how scary the actual megastrip data, the mag strip is. Track one and track two, write them on the cards, five minutes later, either ATM or inside a store actually doing fraudulent purposes, so -- or they -- people order things online, tons of things, if you're interested into that stuff, tons of -- very long time, there's been lots of information about how people do carding and stuff, if it's something of interest? How is it used to defraud? Carding, ordering things. Tons of things that people can see as valid online. So like -- actually ordering things online, these -- they do try to -- people anonymous, duplicating cards and using them in stores. That's one of the biggest. The card not present stuff is not as big any more. ATM cash outruns, a bunch of homeless people, feed them for the day, run around ATM machines. Kind of scary. I've seen where some guy had 600-gallon tank attached to truck. It's crazy, some of the extents people go through. Online services, internet services for 9.99. I don't know which one more embarrassing, K-Mart to take a picture of it, or that still exists, so, yeah, so digital movies, digital sales. Some of the training courses that have been leaked online lately, we got water marks on it. It doesn't matter because it was purchased with fraudulent card. Do you know what I mean? So that stuff is kind of scary and it's hard to track that down and it defeats a lot of the DRM people are using. Used cards, Western Union transfers, things like that, it's crazy. If you've never looked at the dark side of the internet, it's definitely interesting to take some looks at it, and, yeah. And how are the they actually exfiltrated, something I get a question all the time. For example, you can get the version 2, I believe that one is Dexter and Dexter is one of the many POS mall form goes through and steals the credit card information. Difference, this one has a key stroke. USB keyboards. A portion I'll go over antikey stroke catching more than just credit card environments. And yeah, basically four Bitcoins, people can go buy the software, that's kind of ridiculous, because I guess that's pretty expensive now. For about a thousand bucks, people after they actually steal -- or hack a system, they can have the host and the server portions running pretty quick and they'll be stealing data, so that's actually how it gets loaded on, so -- so people, yeah, people ask how it gets loaded on. It's obvious any way a computer is breached in any of the classic ways as I would call them, USB devices, people using spear fish campaigns, so my compromised system, pull point of sale systems, a lot of them running -- software, things like that. The -- basically -- it sends poster pests, basically what are sent to server, so that's how it's exfiltrating data and some stored on hand, exfiltrate the files after they have like a gig's worth or 25 megabytes worth of data. Do store locally but majority send them out encrypted HTML post requests. Not something like people can network monitor. Does generate 600 times the traffic if you're doing the poster class method. You can't see if they are stolen credit card datas. Starts doing 25 megabytes of data, doing about a half a meg a bit ago. You definitely have something. It's very, very useful for intrusion detection also and getting your intrusion detection to work better. It's amazing the amount of data. I couldn't believe how actually clean it runs. When it idles, it's under 1% of the CPU utilization, for running and that's injecting a thousand credit cards a second and that's into memory. Stability with it. You can inject it into any 32 or 64 bit process. So when it goes around and steals and looks for credit card data, it's going to come across a lot of cards, so -- and it's -- that will go here and the two year old -- probably three year old now, but validity rate of 10%. And that's just crazy to think that. That's what I'm saying, a lot of this will go into the actual -- it's kind of like .004 after you run some of these batches, so -- and compiled into bins. That's the thing that really scares me and actually has shot through the roof. So initial -- yeah, terminal was breached loaded with malware. Bad person loads under the point of sale server and basically sends it off to the server, post request. Pull the data, FTP. I've seen incremental backups. They're finding very, very tricky ways to actually -- credit card data and other data. So basically after it's stole on the POS, sent off to the server and I just wanted to stress again, this demonstration is all running on the same box, so basically sending to 127, sending to home address, so -- and it's basically catching it. For the most part. So that's -- it's very good for this demonstration because internet connectivity is very shoddy. I've had demos -- in the past, especially when it involves virtual machines and unplugged laptops. Usually shots CPUs off, so that's why I've gone with the video version of the demo. How does it tell credit card data from other data? Just random numbers in there, and usually a lot of them have custom algorithm, some of them go off the basic algorithm, check digital, mathematically able to detect what is a credit card number and the first few numbers are actual -- first six are the bank identification number, that will tell you if it's a Houston bank or if it's in North Dakota, Bismarck, Minneapolis number, be able to tell those, and that's a way to protect your data. If you've had a breach four times in a year, go up to Alaska, get yourself a bank account and it will never happen again. Or to Bismarck, North Dakota, about 600,000 of us. Anybody from North Dakota? Oh, awesome. Yep. There's two of us. And this is a little bit blown up. The actual malware we tested against, Dexter, backoff. There's a couple other ones that are definitely Russian variance. B skimmer, you tested -- all of them, and actual -- only ones we didn't were the -- some of the versions of Dexter, they had some key stroke catching a little harder to catch but I have a tendency that actually does injections, there's a black hole on the actual software where you can inject key strokes into, so it's pretty decent for blocking, just in general anything like that. Anybody do -- yeah, you can definitely -- this is -- that is another reason. If you're doing reverse engineering of point of sale malware -- it's very good way to get that malware alive, feed it. And I've seen -- actual ones where they dump, like Dexter, I actually locked up a computer. I think it was making 500 megabytes a day of data, and we were just running it to make sure it wouldn't crash or anything. It's amazing how big some of those files get, how quick they get. So -- so the approach, like stop breaches, open source software I made. Or myself and Tim made, and we -- yeah, we just wanted to release it and see if people could use it and implement it into their own APIs for some of their other software, so -- and that's what I'm saying, no reason at all -- I got an MIT license, anybody can improve on it, put it into pretty much anything. That's something nice to be able -- I don't see any reason why people -- chip and pin but I'm actually working on methods and proof of concepts to make -- chip and pin properly, because a lot of people that aren't putting chip and pin to its fullest extent. And what currently exists, there are some skimming. Classical firewall that can manage packets, scan out, put snort rules, lots actual tools out there, firewalls, ID Ss, look for specific things, look for signatures but that's not enough for some of the stuff. Especially when you get into some of the Honeypotting features, it's nice to know when you're breached. There's some high -- of bins that you can actually paste in, almost guaranteed, they look like $15,000 AMAX or something, get grabbed first, seed those into batches and those will get sold off first and you'll know a lot better when the breach happened and there are other ways, where people can buy for the credit cards and run them through processers and things like that to actually tell where they're breached or who is breached and things like that. So -- which as of right now, I haven't run into any tools, and if you do know of any tools that are made specifically fortunately point of sale skimming or stopping point of sale skimming, fill me in, I love hearing about them. Concept make batches useable? Valid credit card data being swiped into there. Where it's being stolen is actually in memory, so it's -- for the most part simple concept and I'm surprised a lot of the bigger companies have not come across it. 500 credit card, for every valid credit card number in memory. When people steal them, exfiltrating tons of fake data. Tried scrubbing. 500, credit processor, after 50 cards were run, how to do -- had to do manual authorization. There's no way a person would be able to scrub these batches. Generated off 25,000 most common names in United States. If you live in a more dominant Asian area, something like that, import, better names list, things like that. If you go off the bins list, you can generate traffic. You can leave open, credit cards from everywhere, and just statistically speaking, you're going to generate tons -- or it won't matter, and when people try to scrub these batches and try to sell them online, they're going to lose their reputation and that's one of the biggest things, validity rate is 98%. People will gladly buy those all day long. .004. It's not going to happen. That's kind of what the -- it goes after. Stopping people from doing the breaches, because there won't be any money to be had on it. Yeah, hardly generated. Algorithm, and we have bins list and not fully implemented. The bins list is sold. Planning on making an open source bin list but I thought it would be used for nefarious things, than -- I had E I would have had to leave the bins list. Not separate things compiled. Bins list, $25,000 in some instances, so it's not affordable for, you know, a project such as this one, so -- that's something, first six numbers, first one tells Visa, MasterCard, American Express, and the rest of them actual bank and financial institutions. How -- basically generates from scratch and attaches a name to them, track one, track two data. They look like valid credit card numbers. Value customer or gift card in there once in a while. It's actually very, very good system of way of blocking it. Like I was saying, pulled list off Social Security web page for United States first and last names and basically generated from scratch, and pretty good list of names to input and like I was saying, you could modify names and I was watching, my dad's name came across. It's a good list. Some names, that is an awesome name. Vampire names, things like that. And this basically explains the Honeypot services much these credit numbers do not occur naturally. Something when a credit processor comes across them, they were not ever issued. There's not actually a physical card. The card will come through the credit processor and they'll be able to tell, that one -- so and so company. I will notify them of the breach. Some of those bins, they'll look like they're unlimited cards or corporate cards, not checked that often. Things like that. Lucrative 154 -- or have information with it. That's something, when it's randomly generated, they'll also be padded around that. That's why I made those actual Honeypot cards, they look a lot better. And that's the -- when you input them, there's a way to reverse the batches, depending on how you input yours. Ways to actually fully remove once you seed your Honeypot card, so it's a little bit of a lengthy process and it's not fully developed but it is something that it is possible. It's very easy to reverse is the only problem. For the kind of people that are actually stealing credit card information, I think it would be a coverage, almost 70% of the situation. Antikey stroke. Plugging in, inject, what being allows like valid credit card numbers. Puts some in. I didn't have enough processing power to do full SkimBad-type situation but it will fill up whatever -- the ones -- the ones actually capturing data, locally, are also the ones vice president functionality -- have functionality with key stroke. Catch from scratch, key strokes. IDSs will detect a log that's going -- megabytes, looks like OM input. How will malware evolve and how can we stay on top of this? Obviously people are going to try to attack, you know, SkimBad. Get out in wild, get used. Things like that. We did build watchdog, simple ones, start out with. Oh, let's only read the memory of point of sale system. You can just directly inject into the POS, point of sale software and it doesn't affect how it goes to the credit processor either. Another big question I always get. So, yeah, how it will evolve. They're going to get smarter about it. Have to take step forward. I know most of the malware that I've been coming across, always bust some 17 year old eastern European guy, you would think they would have had somebody more behind, making it sound like it's a dangerous persistent threat. Simple to stop it. A lot of very good development tools and things like that, but it's something if we stand one step ahead, and another thing -- able -- because that's why a lot of the stuff, when it installs, randomizes it. That's pretty much the -- I'm sure a lot of people have things coming to mind also of how people would, you know, try to stop this type of stuff, and I love to hear that kind of stuff because that makes the product that much better, or you can -- yourself. Detects bins from certain areas. Say for example, North Dakota, there's a bunch of Florida bins, try to scrub the batches and only do bins that are North Dakotaen bins, wouldn't work that way. Sheer amount of them. Not to mention, when I did the credit processing, after ten failed attempts it does to make you manually authorize them and that would be a lot of work. Actually skim through those, so -- watchdog force, so I protect it from malware basically, when it stops the process, unless had something specifically made to attack SkimBad it would be pretty hard to stop it. In itself, it's not necessarily a -- kit, but does have some protection, it does restart itself when it stops. It's very, very simple. That's the last thing I want is to have signature on actual antisoftware. Skim around on it, and it's something -- that's something people can implement and if it's implemented, you know, another product, it would be very simple. It's about 80 companies, very, very hard to kill watchdogs. Yeah, basically, how does the batch look real? All valid -- for the most part, they're valid bins, tons not invalid bins, like I was saying, I didn't want to load the bin and I don't want people to have to pay even a dime for it. So that's something we're literally as you can see there, it fills just with random data. Not random data, but they are credit card passing data, so, yeah, so it's just the sheer mass and volume of it what makes it inherently protected. And so basically, yeah, when they're sent off, grabbing the fake ones right along with the real ones, so there are -- I tried ways to cross check it and if anybody can come up with ways, love hearing them, love to improve it, so -- how to reverse the batches, it was blocked -- I tried two interauthentication companies -- different authentication companies. Random, generate credit cards, things like that, use it that way. That is a mechanism that is working, scrubbing the batches. Some of the other ways, people keep signing up for stuff using credit card, stolen credit card information to get authentication stuff. It would make it ridiculously hard. Several hundreds of hours, thousands of hours, it would literally make it not worth it. Basically, chip and pin going to stop it? For the most part if it's set up correctly, there are some replay attacks, I'm sure people have seen out in the wild. England, replay attack in a store. I know there are some with the chip and signature, that's the exact same as it's pretty much been in the past. That's all about getting people to properly implement them, and getting it to roll forward, so -- so I -- I honestly don't think it will stop it until people properly implement it. And it is a software that's open source. It's free. People can help make it better. Have source code out there. If it's something you want to implement into something else, or work for something that I would like to get a community behind it and help people build it up, yeah, I'm going to open it up to questions here in a little bit. I'm going to get the demo running in the background. Transcode 480. It's pixilated. It's amazing, I did slow the demo down. When it goes through -- contact information. Do you have any questions, Twitter. Appreciate that. If you want to build device, really fun, and I recommend to people who pentest for a living. One step up from USBs. And open up to questions. They have the mic too somewhere. Oh, sorry about that, yes. >> That is my real name. That's not my handle. That means -- that is German for hacker. >> [ Inaudible ] >> Okay. >> To modify the track -- >> Yeah, I've seen where people can actually make them look like manual authorizations when they aren't. And that's a -- I know there's some people that ran photo stuff through in Brazil. She was asking if you can modify the track data to make it look like chip and pin. Is that correct what you're asking? Yeah, there are a couple of attacks it is like that. If it is improperly installed by actual vendor, so actually point of sale -- or authentication is improperly set up, that is something that can be done. So -- thank you. Does that answer your question? Yeah, there are a couple of attacks out there. They haven't released the details on them. Anybody else have any other questions? Yeah. >> [ Inaudible ] >> Yes. Yes. Yeah. >> [ Inaudible ] >> Yeah. Okay. Yes. That's what I was talking about, that's the feedback I want, like the -- not only will people, myself and other people in the community, things over, to other operating systems. This one I made it work for Windows. It should work with a lot of the older libraries, so it is something that's not resource intensive. Utilizes less than 1% of a CPU, 4 gigabyte VM with one core. Negligible amount. That was injecting -- does that answer your question for that one? Exactly. I -- that's what I'm saying, some of the things -- you can be -- tune them to be more efficient and at ten, even ten credit cards, I think it would be a very, very simple, resources and some of the log ins, that's the next generation. That's what I want feedback on. Literally proof of concept. Covers most of those malwares, literally the people who are trying to -- just literally slapping them on -- XPOS, yeah, they're going to be able to look at the source code, they're going to be able to look at certain other things and actually tune their malware to it. I'm not saying that. Literally just a cover. Running on some of the POSs and larger breaches, it definitely would have helped with it. Validity rates, class -- lawsuits cut down, wouldn't have had to cancel people's cards when people are in Belize on vacation. End up suing for. Does that answer your question? Okay. Awesome. >> [ Inaudible ] >> Anything more than that, you're technically going to start covering in memory, especially on smaller POS systems, going to cover them in memory before they're actually pulled by the scraping malware. You can do up to 60,000. That's the highest I went and it would just be counterintuitive. It wouldn't have any purpose to it. So that's why I stayed with 500 credit card numbers, because it will start copying over itself. So -- does that answer your question? Excuse me? Oh, yeah, you can do it, you can pretty much fine tune it. Like I said, anybody in here program C++? Be able to easily modify -- and stuff getting worked out. Going to release it here soon. Yes. >> [ Inaudible ] >> Offer some of the post requests and stuff like that? Yeah, that's -- a lot of the IDS do block. That's why the malware dump them locally or other ways of exfiltrating. Going over a lot of the main ones. Yeah. Yep. Tell that to the last fortune 50 company got breached. There's no way, but, yeah, it happens every day and a lot of people -- they do. One of the original IDSs, too many e-mails, too many red flags on some of the stuff, how do you tell it's real at the end of the day? Does that answer your question? It's kind of an -- kind of been ignored by a lot of the industry, stuff like that. Some of them do have V lands, other systems in place that do work. Some have to actually -- other steps you have to take to actually breach their point of sale systems. Some of the point of sale implementations I've seen in last two years are ridiculous and doing a very good job at it. Once again, the mom and pop shops can't afford it, or some of the smaller point of sale ones. Any other questions? Yes. >> [ Inaudible ] >> One of the main systems I did go into embedded systems, so I've tried it on Windows based point of sale systems, Windows 7, Windows XP, some of the older ones, some of the embedded ones and what was the question again? How it actually -- >> [ Inaudible ] >> Doesn't interfere with all the ones -- I can't go into detail. I can't program the point of sale systems, but just injects it into memory, so it's after the fact of where it would have gotten dumped. That's the point it's taken, before -- some of the end, end encryption stuff. That's where it would lose it at. So it's -- yeah. I hope -- did that answer your question, or -- okay. Yeah, not a problem at all. What was your question? >> [ Inaudible ] >> Every single one of them on that list, which was the big breaches, they have -- I've literally tested, and -- so, yeah, it's something that a lot of those, they do literally just go through memory and even -- you select the process ID you put it into, so -- like you can actually put the process ID for your actual point of sale system, so that's what I'm saying, can inject it directly into the memory of point of sale systems, hard embedded stuff. Malware looks for. The point of sales, ever reverse engineer point of sales malware, very, very, very, very simple in most cases, and very, very not resource intensive. So -- does that answer your question? And I would love to talk to you guys afterwards. I love constructive criticism. Yes. >> [ Inaudible ] >> None of the near field stuff, I haven't tested any of that. I don't have the money to actually buy some of that stuff. Some of those systems to do a proper -- back end server stuff, and you need time server. A lot of setup for it. Something I didn't take the time to learn and something I have not had the privilege of testing, environment like that. But I see no reason at all if it's being ripped to credit card data, that would pass one of the algorithms or the search algorithms for the malware. No reason at all you couldn't inject that data with it. So -- does that answer your question? Okay. Yes. Yes. >> [ Inaudible ] >> Yes. Yeah. And that's something -- that's why I talked about the evolution. I know this is very simple, but the malware skimmers out there are very simple right now. That's why that next step is injecting that data. Some -- tons of other methods, literally to cover the last five years. People are still using some of the first generation Dexter, the Jack POS I've actually seen. Ridiculous able to creep through memory and steal credit card data. Blunt force of it and get concept out of there. Open source. Not trying to make money. Not pitching software. Something I want the vendor, to implement that. Do I have time for one more question? >> [ Inaudible ] >> Yes. Just the nature of the point of sale systems, and just computers in general, there's a lot of things that stay resonant in memory until the actual power gets powered off. A couple of -- point of sale systems they dump memory at certain times. I did come across some of that, but nothing to the level. Yeah. And that's -- you guys come up with exact same reasons. Why don't people do this or that? That's kind of why I did that talk this year, proof of concept out there. Any other questions? I really do appreciate your time, and I would love -- [ Applause ]