Phishing for the missing piece of the CardSystems puzzle

A banking insider examines the ties between customized phishing attacks this spring and the CardSystems breach announced soon after. Don't miss his revelations on how they're linked and what the phishers really needed.

Perhaps you heard about customized phishing scams when they began circulating back in May, in which actual credit card data was used to lure consumers into divulging even more secrets. But did you know these scams could very well be the first externally visible result of the CardSystems breach, before it was made public in June?

That's the conclusion I've drawn after carefully tracking a chain of events and deducing, as an IT auditor in the banking industry, a connection between two seemingly dissimilar announcements.

Let's start with this spring, when Cyota Inc. issued the following [excerpted] press release after some customized phishing attacks were reported by its clients:

New York, NY – May 16, 2005 – Cyota, [a] provider of antifraud and online security solutions for financial institutions, has detected a dangerous new phishing attack – which Cyota has coined "personalized phishing" -- where an organized gang of fraudsters is using real stolen information to target accountholders by name to lure individuals into divulging additional sensitive information.

Cyota has since explained that the origin of these attacks was difficult to ascertain because this "personalized phishing" was

Recent news on the breach

It doesn't take a breach to get the FTC's attention

Phishers exploit CardSystems breach

BJ's settlement with FTC bodes ill for others

CardSystems admits stolen data violated policy

occurring on a broad base, affecting many of the institutions that it oversees, not simply a single institution that had been hacked. You may ask yourself, "What makes a personalized attack different?" I can safely assume that most of you reading this are familiar with traditional phishing attacks, which have always been relatively basic. Choose a target [eBay, PayPal, Citibank] and send out 5 million identical e-mails that say "Dear PayPal customer your account needs to be reactivated…" and then wait for those gullible enough to click on the link in your e-mail so you can steal their information.

These new attacks were more devious. The e-mail would read more like this: "Dear Donald, your account at Bank of Smith, 1234-5678-9012-3456, expiring 05/05, has been deactivated for security purposes. We would like you to take a moment to visit our Web site to reactivate your account. For your convenience, a link has been provided." This banking information is all correct and accurate, and may lead those who read it to believe that the e-mail has in fact originated from their financial institution.

That same day, SearchSecurity published an article on this topic, New phishing scam gets personal. Prior to writing the article, the author called me to discuss the phishing issue at length. We couldn't understand the reason for the phishing scam. Cyota said that the hackers were trying to "enhance existing lists of stolen credentials." What stumped us was what information was missing. In other words, why phish? I think I know know that answer: the hackers wanted Social Security numbers.

Then, on June 17, the news broke that 40 million credit cards had been compromised through a breach at CardSystems. My first reaction was simply, "Wow, that's a lot of cards." As a banker though, I was curious and continued watching developments in the story. As it played out, the parties involved disagreed concerning who truly identified the breach at CardSystems. Quoting from the press releases, we find the following reports:

    CardSystems Solutions' press release states that, "CardSystems Solutions identified a potential security incident on Sunday, May 22. On Monday, May 23, CardSystems contacted the Federal Bureau of Investigation."
    MasterCard's press release says, "MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems, a third-party processor of payment card data… Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached."

Regardless, a probe located a script designed to capture data on CardSystems network, most likely placed there by a virus.

When I found out that the company had notified the FBI of the breach May 23, I got excited. I remembered talking weeks ago about the credit card-related phishing scam. Since then, I've concluded the two incidents are related.. In my mind, the hero of this story is Cyota. As a diligent watchdog, Cyota observed and aggregated phishing attacks from many different sources and institutions. When Cyota realized the new attack vector was large scale, it made a public disclosure that served as a service to e-mail users everywhere. "Pay extra attention, because now the attackers have more specific information." This press release notified the public that private information was being used.

So I knew that Cyota reported the issue first. Not MasterCard. Not CardSystems. Cyota. It couldn't know exactly where the breach had happened, since that would be privileged information, but said in its press release that "the fraudsters use real stolen information about the accountholder -- such as the person's name, e-mail address, correct full account number, and other bank information," so they must have known that someone had been hacked.

I wanted -- no needed -- to know just why these criminals still needed to phish. But one fact really stood out -- in an attempt to keep the masses calm, news accounts kept stressing: "There is no need to worry about identity theft because there were no Social Security numbers in the database." Bingo. I knew that was the missing piece of the equation.

For a hacker who wants to sell information, the transactions that were stolen from CardSystems are almost gold. The company processes all types of credit card transactions, but I was specifically interested in its Internet transactions. Think it through: The last time you bought something online anywhere, be it Barnes & Noble or Joe's Coffee Shack and Recycled Paper Goods, what information was necessary?

  • Credit card number
  • CVV [that little 3 digit number on your card]
  • Expiration date
  • E-mail address [for your receipt]
  • Shipping address
  • Cardholder name
  • Billing address [if different than shipping]

This information would provide everything necessary to create the phishing e-mails described by Cyota except for one thing. Your financial institution. However, the company that was hacked is a payment processor. They aggregate the transaction and then pass them on to your… financial institution. Therefore, their records would include your financial institution as well. A crafty hacker then takes the available information, designs a phishing e-mail that is personalized to you and off it goes. While this system may be slower than traditional phishing, the results are extremely worthwhile.

Stolen credit card numbers can go for up to a couple of hundred dollars each on the black market, with the price varying according to credit limit. However, add a simple Social Security number to the information and you have just transformed your minor credit card fraud sale into a customized identity theft "package deal." With a SSN, these account numbers could double as fake identities for those who may want to apply for credit in your name. Enter the phishing scheme. My original question was, "What information are they missing?" or, "why do they need to go phishing?" The "why" answer is: "9 golden digits."

About the author
Donald Smith is the IT audit manager for The Mechanics Bank of Richmond, Calif. Smith's opinions are his own, and not those of The Mechanics Bank.

Read more on IT risk management