Saturday, September 13, 2014

Red Sky Weekly: American Sanctions Dumps, Threat Day

I'm reading an underground carding forum where the cards (presumably) from the Home Depot breach are being sold. The card dumps are labeled "American Sanctions Dump", and currently, there appear to be 13 dump files.  I've not purchased any cards, nor have we broken any rules, but there's a pretty nice catalog showing what's for sale... and it's pretty amazing.  I apologize for the sizing of the image below but wanted to show readers what these markets actually look like. I've obfuscated the names/addresses of the issuing banks, and the name of the user who actually pulled them, but the rest is all real.

Interestingly enough, the Canadian card (shown in the first row) is selling for $51.48 while most of the US cards sell for significantly less. Not sure why. Canadians have better credit? Even more shocking was the number of credit cards in the dump was dwarfed by the number of DEBIT cards! I'm not sure about you, but my mother always told me "don't use your debit card like a credit card! It's not safe!" ...I'll have to remember to ask my banker friends if this is really so. I'm not normally into tracking carding, there are loads of folks who do, but this was just to rich. The idea that a dump would be named "American Sanctions" after only recently I blogged about bankers being used as unprotected pawns by the Treasury department. This really got my analytic juices pumping.


Here's the other thing I thought was interesting. We obtained a dump of the credential database used by a (different) forum (we didn't dump it). When we started analyzing it, we realized that the passwords used by the guys stealing cards from folks with bad passwords, were actually pretty bad themselves. No password at all was used in nearly half of the accounts in the dump, and qwerty, was easily the next most used. It went downhill fast from there. Literally thousands of them used the same password (black, qwerty, 123456, etc.). Not sure why, but that really took me by surprise. This, a fairly well known hacker forum (fairly well known meaning over 10,000 regular users), and the guys grabbing tools had both lousy passwords and bad OPSEC! Why do I care?

Years ago when I first started in the intel business, profiling attacks, victims, attackers, etc., I worked with a couple of really cool guys. My team profiled over 3000 attackers with the idea of understanding not only who these guys were, but how they operate, what their motivations were, and if, over time, they got better. The nice thing was, many of them were new. When they hacked, we saw it, knew who they were (because of their poor OPSEC) and through a combination of means, could track their growth (and attacks) throughout the years. And of course it worked. I have a feeling we're seeing the same thing on this hacker forum. Young users grabbing tools practicing terrible OPSEC. They'll get better. And we'll know. And yes, we're posting this stuff to our membership, and indicators to Threat Recon.

BT BT

We had a heck of a great time this week. I've not been to Manhattan for more than a couple of hours at a time in years. Usually I take the train in, attend a meeting or two, and take the last train out. And now, I've spent most of the last two weeks there. Last Tuesday was with the Chertoff Group (thanks Mark for the invite!) before doing cocktails with Red Sky members at the Vander Bar in midtown, and Threat Day on Wednesday at the HQ of a large Manhattan based bank. What a place.. we were on the 26th floor, facing south, right on Times Square. The presentations were incredible --one member talked about building a DNS filtering tool that he uses to analyze all of his DNS requests. Another talked about joining a botnet to analyze activity. Another detailed an APT event that they'd lived through, and yet another profiled an APT actor. Every quarter I get reenergized when I sit through Threat Day. It's not about having 2000 people in Vegas, it's about 30 really smart ones sitting in a room, watching the screen, interacting and sharing notes. And that's what we did. That's what I like about Red Sky.

I'm going to close out this week with this. A Mitre PhD just published a piece entitled "Turning the Tables on Cyber Attackers...." I especially like the section "Mixing Automated Tools with Human Analysis" (as a side note, nine providers set dozens of cookies on my browser when I opened it). That said, Mitre is now espousing the idea that humans must be involved in analysis to turn the tide on cyber attacks. Say it ain't so! Mitre called out Red Sky Alliance about a year ago as one of the better sources for human analysis, crowdsourced in our private portal. And today, the idea that humans need to look at both the forest and the trees is a massive step forward in thinking. What's old is new again. I love it. The paper in its entirety may be viewed on the Mitre site. For now, know this. It's true. Relying on open source of big data always requires further analysis. Someone MUST sort through, evaluate and prioritize findings. That's where we come in.

I especially love this paragraph:

"... Automated tools are incredibly useful, but detecting advanced cyber intruders also depends on skilled and experienced defenders. These defenders are like detectives at the scene of a crime—looking for clues, following leads, making connections, and using intuition as well as hard data to figure out who did what." 

On that, ThreatRecon.co is going well. We'll have a simple web interface up soon. Red Sky is welcoming new members, and Wapack Labs is busy. Need information? Drop us a note. Red Sky for collaboration; Wapack Labs for subscriptions; and Threat Recon (API) for up to a thousand free queries per month.

Until next time,
Have a great week!
Jeff