News outlets throughout the US reported last week about “Operation Card Shop” a series of crimes related to stolen credit card information.. The press release from the US Attorney’s Office for the Southern District of New York is titled Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce 24 Arrests In Eight Countries As Part Of International Cyber Crime Takedown. It is clear that this was a big operation. The press release is a very interesting read describing the methods used to catch the alleged criminals and details on their alleged crimes. Since many of these activities are described in Learning Tree’s System and Network Security course and some aren’t, I’d like to mention those here along with the names “carders” (those who steal credit card numbers and/or related information) use for them, according to the press release. Some of the items that were allegedly sold include:
One person was arrested for allegedly trying to sell counterfeit credit cards. Another was arrested for “instoring” – using stolen credit information inside a brick and mortar store (instead of online) to purchase merchandise.
So, does this deter me from using credit cards online? No. It appears that most of the credit information was not acquired from individual users, but rather from larger databases. Yes, the RAT software did steal usernames and passwords. Maybe “thousands” of computers were infected with that software. But large databases seem to be a better target. Even offline-only use of the credit card would let the card info be in the database so whether I use my card online or offline in that case is immaterial.
But the RAT keylogger idea does bring up an interesting question: “are keyloggers detected by antivirus and other PC protection software?” I have not done any testing on particular products, but I do have a few thoughts: first, if one searches for keylogger software, a few products turn up that claim to be undetectable by anti-virus software. The sites for the products claim that they are to be used by parents, CEOs and others who rightfully want to see what computers they own are being used for. It is possible that most or all anti-virus software and maybe personal firewall software will allow that software to run and even store and send out data. Second, bad guys have what are likely more sophisticated tools.
I am hoping that anti-virus vendors soon respond to these news stories claiming that their software would have detected the specific keylogging and camera hijacking tools the US Attorney’s office says were used in these attacks. The FBI notified affected individuals and institutions along the course of this operation. I hope the institutions took advantage of the opportunity to secure their databases further.