
Credit issuer contacted LVMPD Forgery Unit and
advised that a local retail establishment was
likely the point of compromise for a large credit
card fraud ring.

Cards that were used at the establishment were
being counterfeited and used in foreign
countries within 24 hours.

Certain facts of the case made it unlikely that a
hand-held skimmer was being used.

Detectives from LVMPD Forgery and LVMPD
Electronic Crimes Unit responded to the
establishment.

Preliminary interviews were conducted with
the store manager and several sales clerks.

LVMPD ECU detectives conducted a physical
inspection of the network hardware, but saw
no obvious signs of tampering.

Network consisted of one Microsoft Windows
based PC running Point Of Sale software, and
one additional PC in the back office area.

No wireless networking was used.

Network was remotely administered by an IT
staffer at the chain’s headquarters in New
York.






IT staffer had remote access to POS computer
via Timbuktu and Windows Remote Desktop.
POS software vendor also had remote access to
facilitate support and updates.
Anti-Virus software had been disabled due to a
software conflict.
There was no Administrator password on POS
machine.
POS machine was capable of unrestricted
internet browsing and email.
Store clerks used POS machine to conduct
personal internet activity during free time.
A preliminary examination of the POS computer
was conducted on site.
 LVMPD ECU detectives immediately noticed a
suspicious entry in the POS computer’s Windows
registry.
 The ‘Run’ key in the Windows registry lists
programs that are automatically started during
boot-up of the operating system.
 One of the programs listed was ‘bpk’.
 An internet search confirmed that this was a
component of Blazing Tools Perfect Key Logger.




A keylogger is fundamentally designed to capture and
store keystrokes typed by a computer user.
A hardware keylogger is a device inserted between
the keyboard cable and the computer. It will store
keystrokes in its internal memory for later
downloading.
Software keyloggers have become MUCH more
sophisticated. Not only do they record the
keystrokes, but also which window received the
keystrokes. They can often be configured to take
screenshots at specific intervals to aid the suspect in
capturing information.
Software keyloggers can also be configured to
transmit the stored information (keystrokes and
screenshots) using SMTP (email) or FTP.
 The most critical capability though is that many
software keyloggers can also capture shared
memory used for interprocess communications.
 Some magnetic stripe scanners use this shared
memory to transmit the magnetic stripe data to
the host application.
 This allows the software keylogger to capture
the magnetic stripe data as soon as the card is
swiped.




LVMPD ECU detectives immediately powered
off the POS computer and created a forensic
image of its hard drive. This image was taken
back to the lab for further analysis.
The forensic examination revealed two
additional keyloggers, Tool Keylogger and XP
Advanced Keylogger.
All three keyloggers had been installed within a
15 minute period of time approximately one
month prior, during the night when the store
would have been closed.



All three keyloggers were configured to take periodic
screenshots. The unintended side effect of this was
that screenshots were taken of the suspect
configuring the 2nd and 3rd keyloggers.
This revealed that the keyloggers were installed and
THEN manually configured instead of being preconfigured, this is unusual and indicates a lack of
sophistication on the part of the suspect(s).
Despite this lack of sophistication, the magnetic stripe
data from every card used in this store for the past 30
days had been collected by and transmitted to the
suspect(s).




The “gold mine” of evidence was found in the
keylogger’s configuration files.
One keylogger was configured to upload
keystrokes and screenshots to an FTP server
using a username and password specified in the
configuration file.
Another keylogger was configured to email the
information to a webmail account.
Search warrants were immediately prepared to
seek authority to examine the contents of the
FTP server and the webmail account.
The FTP server was hosted by a US company in
Arizona.
 They complied with the search warrant and provided
us with several DVD’s containing the contents of the
server.
 On the server were dozens of directories to which
compromised machines were transmitting their
captured data. Each directory contained four to five
days of captured data.
 The server also contained a large collection of hacking
tools, configuration files and log files. This proved
invaluable in establishing the suspect(s) m/o.

After careful examination of the hacking tools, log
files and configuration files found on the FTP server
LVMPD ECU detectives established a fairly clear m/o
used by the suspect(s).
 The suspect’s first step was to use an IP port scanning
tool to scan the internet (a few subnets at a time) for
computers that appeared to be running Microsoft
Terminal Services (a remote access component). This
tool takes an IP address range as input and produces a
list of IP addresses running Terminal Services as
output.
 This would likely run over night and the resulting list
would be fed into the next tool.




The next step is to feed the list IP addresses into the
publicly available ‘tsgrinder’ program. This program is
designed to perform a “brute force” password attack
on Microsoft Terminal Services. Tsgrinder can be fed a
‘dictionary’ of passwords to try.
To improve efficiency the suspects created a very
small dictionary of commonly used weak passwords,
e.g. Password, administrator, 123456, etc.
They created a script that would try each password
from the dictionary against each IP address and
output the IP address of any computer on which the
attack succeeded.



The suspects would then manually connect to
the “compromiseable” computers and install
and configure the suite of keylogging programs.
Attempts to install the keylogging software
would often fail or be quickly recognized by antivirus software. In other cases the keyloggers
would be ineffective or would no capture any
useful information.
But on a few machines, the suspects hit the
mother lode, and collected a bounty of credit
card data, bank account login information, back
end server credentials, and other lucrative data.

Further examination of the FTP server showed
the variety of illegal activities engaged in by the
suspects.

Directories were found containing well done
phishing emails appearing to originate from
major US financial institutions. Web pages were
found that collected personal information from
those victimized by the phishing scams.

Directories were found containing images used
in eBay scams as well.

The hosting company for the FTP server
complied with a court order directing them to
supply us with IP Logs for the FTP server.

The company which provided the webmail
account also provided us with IP logs for creation
and access to that account.

These logs showed that the server and email
account were accessed from a variety of IP
addresses throughout Romania, including a
university computer lab in Romania.




Remotely installed keyloggers are the tool of choice
for the unsophisticated or moderately sophisticated
cyber criminal.
If a keylogger is suspected, an offline forensic
examination MUST be done. Sophisticated software
keyloggers will hide their existence while running.
A virus scan against the virtually mounted image will
almost always reveal the existence of the keylogger.
Once the keylogger is found, examine its
configuration file to see where it is transmitting
captured data.

Attacks of this nature are easily prevented by
using strong passwords, up to date virus
scanners, and properly configured fire walls.

A competent IT staffer would have noticed
MANY warning signs that something was
happening.

Failure to take these basic security steps can
result in millions of dollars in loss in only a few
weeks.