Knowledge behind Backtrack / kali / Linux is an essential to focus on security at digital forensics and penetration testing. Ausec highly prefers this course to all who likes to enroll the offensive security domain and also wants to have in depth knowledge of Hacking to be more secure.

Hacker use DDoS to Cover DataTheft

Distributed denial of service attacks are an IT team’s worst nightmare. The sudden floods of Internet traffic to public facing web- or application servers can bring your company’s online edifice tumbling down. If yours is an online business, DDoS attacks can translate into millions of dollars in lost revenue for every hour of downtime.

As bad as they are, however, DDoS attacks may be the least of your problems. As the hack last week of the UK-based Carphone Warehouse indicates, DDoS attacks these days are often just a distraction from the real thrust of a cyber operation: data theft.

As reported here, hackers used a denial of service attack against Carphone Warehouse websites like OneStopPhoneShop.com, e2save.com and Mobiles.co.uk to distract its IT team from a coordinated hack of their customer database, which resulted in the theft of information on 2.4 million customers. In the end, around 90,000 of those customers had credit card information stolen – though the data was encrypted.

This isn’t a new technique. Back in 2013, Brian Krebs noted the use of DDoS attacks as a technique used by cyber criminals to cover up illegal wire transfers from compromised accounts. In 2014, the FFIEC went so far as to warn banks about the use of DDoS as a diversionary tactic by cyber criminals.

But banks aren’t the only targets of this technique. As this article from eWeek notes, the hackers who stole account information from millions of Sony’s customers likewise used massive denial of service attacks to distract Sony’s IT team while the data exfiltration was taking place.

In fact, the security firm Neustar observed that the duration of DDoS attacks has declined precipitously in recent years. In their 2014 security report, the firm said that the percentage of their customers who reported DDoS attacks that lasted less than a day jumped more than 10 percent between 2012 and 2013, to 77 percent. At the same time, the percentage reporting DDoS attacks lasting over a week declined from 13 percent to under 2 percent.

The reason, Neustar theorized, was the increasing use of DDoS as a “smokescreen” to cover for data theft and other malicious activity. In other words: attacks that have been historically been used to inflict pain on their victims are now mostly a distraction: the online equivalent of a fire in the trashcan.

What should security conscious firms do? Neustar and others advise companies to be on guard for DDoS attacks that may be diversionary. These tend to be shorter and more intense in nature, and they are often not followed by extortionate demands from those behind the DDoS (after all: they already have what they want).

Companies should drill their IT and security teams on DDoS scenarios and part of that should be identifying resources and tools that can keep a wary eye for suspicious activity after a DDoS has started. Monitoring tools that can alert IT staff to data exfiltration or other suspicious transactions are a must.

Finally, investing in dedicated DDoS protection and mitigation tools can help deflect attacks and make it easier for IT staff to keep their wits about them during an incident.

Attacker Crack EMV

European criminals cannibalized stolen EMV cards, combining clipped smartcard chips with miniature microprocessors to construct fake payment cards that defeated point-of-sale security checks, enabling them to commit as much as 600,000 euros ($680,000) in fraud.

While that fraud occurred in 2011 and attack countermeasures were thereafter put in place by the card industry, details of the EMV-defeating fraud spree have only now come to light in a newly released research paper. The report, “When Organized Crime Applies Academic Results: A Forensic Analysis of an In-Card Listening Device,” was published by four researchers from the computer science department at the École Normale Supérieure in Paris and the Centre Microélectronique de Provence in the south of France.

Their discoveries are further proof that, from a security standpoint, despite what card issuers might claim, the EMV protocol is not foolproof, says University of Surrey computer science professor Alan Woodward. “This particular attack no longer works as it was ‘fixed,’ but I have to say experience shows that where there is one [attack], there will be others.”

As the U.S. EMV migration continues, one benefit often touted by card issuers is that EMV chips cannot be counterfeited. And some analysts predict that the U.S. card industry will soon attempt to redefine consumer protection laws so that issuers are no longer liable for card-present fraud because the chips cannot be counterfeited. But Ross Anderson, a professor of security engineering at the University of Cambridge, says the French report is just the latest research to demonstrate how EMV protections can be bypassed by criminals to commit card-present fraud

How French Police Busted Gang

In the case of the European fraud campaign, the French Ministry of Justice commissioned the four researchers – Houda Ferradi, Rémi Géraud, David Naccache and Assia Tria – to conduct a forensic analysis of the attacks after France’s Cartes Bancaires national interbank network noticed in May 2011 that a dozen stolen EMV credit cards were being used to commit fraud in Belgium, which triggered a related police investigation.

The researchers say that police were able to quickly identify and arrest suspects after obtaining a list of the date, time and place where each fraudulent transaction occurred from Cartes Bancaires. Police then cross-referenced this information with records from mobile-phone network providers showing which unique ISMI – International Mobile Subscriber Identity – codes of SIM cards were present at the same time and location as when the thefts took place.

“A 25-year-old woman was subsequently identified and arrested while carrying a large number of cigarette packs and scratch games,” the researchers say. “Such larceny was the fraudsters’ main target, as they resold these goods on the black market.” Police then arrested four more people – including a man who later admitted to engineering the fake cards – and recovered 25 stolen cards, 40 modified cards, specialized software that was used to make fake cards as well as about 5,000 euros ($5,700) in cash.

Before they were arrested, the gang successfully executed 7,000 transactions, netting them up to 600,000 euros ($680,000) in fraudulent proceeds, the researchers say.

Forensic Analysis

Left to right: Forged card’s fake EMV module – red arrows show glue; fake card seized by police; X-ray image of a fake card – the stolen EMV chip is green. (Source: École Normale Supérieure)

As part of their forensic analysis of the fake cards, the researchers say they had to rely in large part on X-ray chip imaging and microscopic optical inspections to identify the engineering and miniaturization techniques at work. Based on that analysis, however, the French researchers report that the gang appeared to have gleaned their attack techniques from the 2010 “Chip and PIN is Broken” paper published by University of Cambridge computer science researchers Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond. In that paper, they warned that the EMV protocol that had been deployed in the field was broken. They described and demonstrated “a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network.”

Such an attack would use genuine parts of an EMV chip to handle the transaction, while employing a separate chip – either miniaturized and implanted inside the same card, or perhaps connected by wires to a microprocessor hidden up a fraudster’s sleeve – to execute the man-in-the-middle attack that subverted the cardholder-authorization process.

The French researchers found that the fraudsters behind the 2011 campaign built fake cards that combined a legitimate EMV chip – which was used to authorize a transaction – with a module from a hobbyist device known as a Funcard, which was programmed to tell a POS device that any PIN code the attacker entered was correct. “These forgeries are remarkable in that they embed two chips wired top-to-tail,” the French researchers say. “The first chip is clipped from a genuine stolen card. The second chip plays the role of the man-in-the-middle and communicates directly with the point of sale terminal. The entire assembly is embedded in the plastic body of yet another stolen card.”

Did Crooks Copy Academics?

Anderson, the security engineering researcher at the University of Cambridge whose work the French researchers cited, says he’s well aware of the findings. “I knew of the French work three years ago, as the prosecution expert talked to me privately,” he tells Information Security Media Group. “I asked him to publish what he could when he could, which he’s now done.”

But Anderson questions whether these criminals learned from his group’s research, noting that related exploits predated the 2010 paper. “The impression I got at the time was that the French crooks developed this attack independently of us,” he says. “In fact, we did our own research because we got persistent reports from credible witnesses that they’d had EMV cards stolen and used in stores in circumstances where the PIN could not have been compromised, yet their banks claimed it must have been and refused a refund. That’s what drove us to look hard at the protocol.”

Regardless of whether criminals learned from academic research, University of Surrey’s Woodward says such research remains crucial for finding EMV flaws so they can be fixed. “If you go back to the original work that Ross et al did, it was only because of his persistence – in the face of banks saying [EMV] was foolproof – that we found that there were some issues,” he says.

Improving the EMV Protocol

Indeed, the French researchers report in their paper that after conducting a forensic analysis of the fake EMV cards, Cartes Bancaires added a new Combined Data Authentication mode for verifying transactions as well as network-level countermeasures, to block copycat attacks. “In addition, four other software-updatable countermeasures were developed and tested, but never deployed,” they say. “These were left for future fraud control, if necessary.”

One takeaway, the French researchers say, is that for EMV to remain secure, “an unmalleable cryptographic secure channel must always exist between cards and readers.”

But man-in-the-middle attacks that might defeat this channel – such as those used by the French gang – are quite difficult to detect, Woodward says. “The reason man-in-the-middle attacks are so effective is that you might think you have just such an encrypted link but it has been subverted by the crooks. In many ways, the strength of the encryption is irrelevant as what you do is construct a scenario where there is no encryption,” he says. “You can fool people quite easily, and systems for that matter, if the default is not checked, and you simply assume everything is fine unless a warning appears.”

No Current Attacks Spotted

Woodward, who’s a cybersecurity adviser to Europol – the association of European police agencies – says he’s not aware of any new EMV-defeating attacks in the wild. “But the problem is there is always a lag between them being developed and showing up in crimes,” he says.

Furthermore, such attacks don’t tend to be discovered until enough cardholders report related fraud cases, and that takes time. “After all, if they showed up easily, this [French] crew wouldn’t have walked off with hundreds of thousands of dollars,” he says. “It’s one of the many reason I always say people should report fraud [to police], even if they get the money back. Only with enough data can you spot trends and detect that a crime is sometimes occurring.”


Ausec training seminar provides a comprehensive review of application security concepts and industry best practices, covering the 8 domains of the CSSLP Certification.


Ausec has the proficiency to provide all Information Systems Audit and Control Association Courses of ISACA which engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.

Enquire Now
close slider