An indictment unsealed on December 7 charged a group of four Romanians with attacking the chains, using brute-force attacks to guess passwords. The essence of the attacks' success, though, was based on two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.
The details of the attack, culled from federal filings and more than a half-dozen sources involved in the probe, outlines a three-year series of assaults beginning in 2008 and not fully halted until May 2011. The accused—Adrian-Tiberiu Oprea, Iulian Dolan, Cezar Iulian Butu and Florin Radu—were described as running a low-tech operation seeking soft targets. And it seems they found such targets in Subway franchise locations. Subway has since revamped its POS security, deploying point-to-point encryption, which required replacing its card swipes with encrypted magstripe readers, among other changes.
The more than 50 other retailers involved were not identified, but one official involved in the probe said they were mostly "smaller mom-and-pop choices" and a small regional chain with 20 to 30 stores and perhaps one slightly larger chain, which had "no more than two stores" attacked.
How the attack was discovered is an interesting side note to the case. Typically, with most of the major retail data breaches that have been prosecuted recently (including TJX, Hannaford, 7-Eleven, Wet Seal, JCPenney, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21 and Dave & Buster's), it has typically been a card brand detecting fraud and tracing it to a common point of purchase or the Secret Service learning of a breach (perhaps through wiretaps or intercepted messages) while investigating some other breach. The closest to a retailer discovering the breach was Target, which detected the breach after it happened, but that was long after the probe was ongoing with other victims of the same attackers (the Albert Gonzalez gang).
In this case, it seems frauds detected by a card issuer and a breach detected by Subway IT happened almost simultaneously. The issuer detected some frauds in New Hampshire and contacted law enforcement to try and figure out what was happening. That probe had just started when Subway detected its breach and reported it to the government.
Subway's IT group "found it independently," said one official involved in the probe.
Oddly enough, a Subway statement said law enforcement had first discovered the breach, a position disputed by multiple sources involved in the probe. "Upon learning about this (federal) investigation, we immediately took steps to improve our point-of-sale systems in the stores to make our customer transactions even more secure," said the Subway statement. Subway declined to explain the apparent contradiction.
Note: Almost no one involved in the probe from various federal agencies—including the U.S. Justice Department, the U.S. Attorney's Office in New Hampshire or the U.S. Secret Service's field office in Boston—or any of the many victims was willing to discuss the case for attribution.
The remote access software was put in place by various franchisees, apparently not following Subway guidelines. "It created an open door. The franchisees did this on their own," said one official. An attorney for defendant Dolan, Michael C. Shklar, said his client was a minor player. "Dolan is a guy who works in a tire factory. He's selling the stuff (the captured names and numbers) for next to nothing," Shklar said. "A thousand bucks for zillions of names."
Shklar denied that a lot of skill was needed in the attack. "Apparently, if you can figure out which specific port is used, you're in," he said.
In a court filing, Shklar said the complexity of the case—if not the attack—will take a lot of time to figure out. "The Government informed counsel that this case is quite complex. The discovery material in this case consists of at least 5,000 pages (much of it in the form of computer data) and relevant information may only be available in Romania," he said in the filing.
The indictment lays out the government's version of the attack: "It was part of the conspiracy that members remotely scanned the Internet to identify vulnerable POS systems with certain remote desktop software applications ("RDAs") installed on them, and using these RDAs, the conspirators logged onto the targeted POS systems over the Internet, either by guessing the passwords or using password-cracking software programs. It was further part of the conspiracy that members remotely and surreptitiously installed software programs called 'keystroke loggers' (or 'sniffers') onto the POS systems, which would record and store data that was keyed into or swiped through the merchants' POS systems, including customers' credit-card data."
Sources involved in the probe said the attack never touched—nor did it try to touch—data files that already existed on servers or the POS system; it just grabbed the new data as it flowed in. This is a key difference from many of the earlier cyber attacks, especially those from the Gonzalez gang. That also explains why this three-year attack accumulated fewer card numbers than the estimated 200 million taken by Gonzalez's crew.
The indictment said the accused "often installed a back door Trojan into the POS systems that would allow the conspirators to access the compromised POS systems in the future in order to install or re-install additional software programs (collectively referred to as 'hacker tools') that facilitated their POS-hacking scheme. The conspirators repeatedly downloaded a hacker tool that is designed to evade detection, 'xp.exe,' from the 'kitsite.info dump site' onto victims' POS terminals. These dump sites included the following: ftp.shopings.info, ftp.cindarella.info, ftp.kitsite.info, ftp.tushtime.info, and ftp.canadasite.info."
The indictment mentioned one of the dump sites, but it's hard to mention it without triggering SPAM obscenity warnings. To indicate the sense of humor of the accused, the FTP site was called Just (naughty word for amorous activity) It.
The indictment added that the dump sites "also included compromised Internet-connected computers belonging to unsuspecting small business owners or individuals." The group was also accused of creating bogus payment cards with the stolen data, which they they supposedly used with various retailers "primarily located throughout Europe."
The group did standard mechanisms to try and cover their tracks and made frequent use of proxy systems to try and disguise their IP paths and used the cyberthief-friendly chat "using IM and multiple, frequently changing screen names and E-mail addresses and untraceable disposable accounts."