According to analysis from two separate security providers, hackers targeting have appropriated unauthorized versions of the powerful scanning tool Card Recon developed by Ground Labs, a commercial DLP product used by merchants for PCI compliance, which seeks out payment card data stored in the recesses of networks.
Much like with other tools such as Metasploit and SHODAN, Card Recon was developed to assist security teams in their efforts to better secure systems and sensitive data, but such tools can also be misappropriated by criminal hackers with nefarious intents, and the analysis of POS attacks confirms that Card Recon has been added to the assailant’s toolkit.
“The attack kit also contains two cracked copies of Card Recon, a legitimate application designed to find credit card data across a wide variety of systems. Ground Labs lists them as ‘workstations, file servers, NAS and SAN devices, Exchange, Gmail, Lotus Notes, Oracle, Amazon AWS Cloud and more'” a report Arbor Networks stated.
“Card Recon looks to be a useful tool when wielded by an auditor or security staff, but is clearly dangerous in the wrong hands. The presence of an audit tool like Card Recon where it is not expected is a clear sign of trouble, as it shows that attackers are after card data anywhere that it can be found.”
Numaan Huq, security researcher for Trend Micro, independently confirmed that Card Recon was being employed in POS attacks, and noted that the attackers may be using it to validate the card data they exfiltrate.
“While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards,” Huq wrote.
“Bad guys using a commercial DLP solution wasn’t that surprising, but it got me thinking: why validate? Aren’t the regexes used to collect the data enough? The short answer is the criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace,” Huq continued. “Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.
Card Recon requires a license to prevent it from being used without authorization, but access to the software’s executables can not be prevented if the target is a customer who has already deployed it.
“This is the unfortunate reality for all software vendors: It is common for criminals to acquire a copy of commercial software via unauthorized means and then reverse engineer that software to circumvent the licensing mechanisms that are designed to prevent its unauthorized use,” said Ground Labs’ Stephen Cavey.