Network Analysis of Point of Sale System Compromises

Operation Terminal GuidanceChicago Electronic & Financial Crimes

Task ForceU.S. Secret Service

Outline

• Background• Hypothesis• Deployment Methodology• Data Analysis• Findings• Discussion

Investigative Goals

• Hypothesis: Remote attackers were not targeting point of sale (POS) system software, rather POS system compromises are a result of insecure deployment of the underlying operating system by automated scanning and vulnerability exploitation

Deployment Methodology

ADSL Router/Modem

Honeywall Point of Sale System

Remote Management

VMnet 0(Bridged to Host)

VMnet 2

VMnet 4

eth210.10.1.x

eth00.0.0.0

eth10.0.0.0

eth010.10.1.x

*Each server represents a virtual machine

eth1192.168.1.1

eth068.166.251.x

VMnet 3

Firewall

eth0192.168.1.x

ADSL Router/Modem

Honeywall Point of Sale System

Remote Management

VMnet 0(Bridged to Host)

VMnet 2

VMnet 4

eth210.10.1.x

eth00.0.0.0

eth10.0.0.0

eth010.10.1.x

*Each server represents a virtual machine

eth1192.168.1.1

eth068.166.251.x

VMnet 3

Firewall

eth0192.168.1.x

ADSL Router/Modem Honeywall

Point of Sale Systems

Remote Management

VMnet 0(Bridged to Host)

VMnet 2

VMnet 4

eth210.10.1.x

eth00.0.0.0

eth10.0.0.0

eth010.10.1.x

*Each server represents a virtual machine

eth068.166.251.x

eth068.166.251.x

eth068.166.251.x

ADSL Router/Modem Honeywall

Point of Sale Systems

Remote Management

VMnet 0(Bridged to Host)

VMnet 2

VMnet 4

eth210.10.1.x

eth00.0.0.0

eth10.0.0.0

eth010.10.1.x

*Each server represents a virtual machine

eth068.166.251.x

eth068.166.251.x

eth068.166.251.x

Test Group Honeynet Control Group Honeynet

Honeytoken

Data Analysis

0

0.05

0.1

0.15

0.2

0.25

0.3

1026 1027 1028 135 5901 445 139 80

Ports

Con

nect

ion

Freq

uenc

y (P

erce

ntag

e) POS APOS BPOS C

Control GroupConnection Attempts

by port

Data Analysis

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

135 139 445 1026 1394 5017 5900

Ports

Con

nect

ion

Freq

uenc

e (P

erce

ntag

e)

POS A

POS B

POS C

Test GroupConnection Attempts

by port

Data Analysis• Association rules

– Clustering• T: Number of virtual POS systems with connection

attempts from a single source• ni: Number of packets from a source to a virtual

POS system• N: Total number of packets from a source to all

three POS systems• N=∑ ni

Support(R) = # connections (POS system A, B, and C)#connections

Data analysis methodology from F. Pouget and M. Dacier. “Honeypot Based Forensics.”

Data Analysis

190.9%Cluster 14: T=1, N=25901183%Cluster 13: T=1, N=11028198%Cluster 12: T=1, N=11027153.5%Cluster 11: T=1, N=11026

220%70%7.1%

Cluster 8: T=1, N=1Cluster 9: T=1, N=2Cluster 10: T=1, N=3

445

175%10.1%

Cluster 6: T=1, N=2Cluster 7: T=1, N=3

139

254.5%22%

Cluster 4: T=1, N=1Cluster 5: T=1, N=2

135

143.5%10.9%4.3%

Cluster 1: T=1, N=3Cluster 2: T=1, N=1Cluster 3: T=2, N=8 (n=5, n=3)

80Support % > 1%Support %Item SetsPort

Control Group Clusters

Data Analysis

020%Cluster 11: T=3, N=35900

010%10%

Cluster 9: T=3, N=8 (n=2, n=3, n=3)Cluster 10: T=3, N=30 (n=10, n=10, n=10)

2967

320%16.7%1.7%16.7%

Cluster 5: T=1, N=12Cluster 6: T=1, N=15 Cluster 7: T=1, N=6Cluster 8: T=1, N=9

1394

21.8%20%

50.9%

Cluster 2: T=2, N=3Cluster 3: T=3, N=3 (n=1,n=1, n=1)Cluster 4: T=1, N=1

1026

022.2%Cluster 1: T=2, N=34445

Support % > 1%Support %Item SetsPort

Test Group Clusters

Data Analysis

• Edit Distance Analysis– Extract TCP payloads

from previous identified cluster members

– Compare packets from each IP address against all others identified through clustering

<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............<mssE..0.{@.k.l\=.y.D..s.....jd.....p...............

<mssE..0..@.o.A.;W\.D..s.]..........p...^2..........<mssE..0..@.o.A.;W\.D..s.]..........p...^2..........

Source BSource A

Attack Phrases

Data Analysis

12325901Cluster 14

65121028Cluster 13

169861026Cluster 11

184445Cluster 10

85445Cluster 9

103445Cluster 8

51139Cluster 7

92139Cluster 6

Std DeviationPhrase Distance (Lines)PortCluster

***Clusters 1,2, 3,4,5, and 12 were discarded as not statistically significant

Control Group Phrase Distance

Data Analysis

2572405900Cluster 11

114314221394Cluster 8

1365291394Cluster 7

1702801394Cluster 6

853601394Cluster 5

2383241026Cluster 2

Std DeviationPhrase Distance (Lines)PortCluster

***Clusters 1,3,4,9,10 were discarded as not statistically significant

Test Group Phrase Distance

Data Analysis

UDPSourcePort

UDPDestinationPort

TCPDestinationPort

SeqNumber

IPDestinationAddress

TCPSource

Port

IPHeaderChecksum

IPSourceAddress

TTL IPTransportProtocol

IP Flags

IPFragment

IP TotalLength

IP IDIP

HeaderLength

IP DifferentialServices

IP VersionEthertypePacket Length

Network Traffic OverviewPOS A – Control Group

Visualization methodology from Greg Conti’s. “Security Data Visualization.”

Data Analysis

Source IP

TCP Source Port

TCP Destination Port

Source IP

TCP Destination Port

Data Analysis

• The TCP outlier is associated with browsing public web site to ensure connectivity

• Uniform length of packets

Data AnalysisTCP Packet Tree Map UDP Packet Tree Map

Data Analysis

• Examination of the UDP packets identified in the previous tree map revealed them to be spam targeting messenger applications

Findings

• Automated scanning of select set of ports• Multiple exploits targeting multiple OS’s

from single source IP address• Attackers not aware compromised system

is a POS system until after compromise and exploit

• Insecure installation of operating system and applications lead to compromise

Discussion

Ryan E. MooreSpecial Agent

U.S. Secret Service312-353-5431

ryan.moore@usss.dhs.gov

All references available upon request