Point of Sale Voyuer - Threat Actor Attribution Through POS Honeypots

DerbyCon 6.0 - Recharge

Presented by: Kyle Wilhoit
Date: Saturday September 24, 2016
Time: 10:00 - 10:50
Location: Regency South
Track: Teach Me

What would POS terminal cybercriminals do if they didn?t know you were watching? Imagine you could understand and see a clear connection between a payment terminal compromise, credit card numbers getting stolen from those terminals, and ultimately their sale on the underground. Attribution of attackers is often difficult, especially when dealing with point of sale terminal breeches. Trying to establish tools, tactics and procedures in order to better understand the adversary also takes time, effort, and dedicated resources. Using a combination of physical and virtual honeypots, we tracked POS attackers from the initial infection all the way to the sale of fake credit cards on underground forums. In this new research, we cover the malware, TTP's, and attack chain behind several POS actors against our honeypots. Finally, learn about a tool we created and used that aided in the analysis of attacks, file drops, and communications? FileGrabber ? that we are going to release at the end the talk.

Kyle Wilhoit

Kyle Wilhoit, an internationally recognized speaker, has given talks at Blackhat US, Blackhat EU, FIRST, and on four continents. With his work featured in BBC, NBC, ABC, Wired, and other outlets- his research is recognized as some of the most unique around the world. As a Sr. Threat Researcher at Trend Micro, Kyle is responsible for hunting nastiness on the Internet, one bad guy at a time. Kyle has a Master?s and Bachelor?s degree and has worked at a large coal company and ISP performing threat intelligence and malware reverse engineering.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats