[WEB SECURITY] CardSystems was a Web Application Hack

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

Most are already familiar with the infamous CardSystem incident where  
hackers stole 263,000 credit card numbers and exposed 40 million  
more. What remained a mystery is how exactly the hack occurred since  
what we knew was mostly scattered rumors and theories.

Bill Pennington pointed me to a new article in Information Security   
magazine (April 2006) describing some new details.

Security Survivor All-Stars
http://informationsecurity.techtarget.com/magLogin/ 
1,291245,sid42_gci1175858,00.html

*Unfortunately I've not be able to find an online version that  
doesn't require a subscription.

"In September 2004, hackers dropped a malicious script on the  
CardSystems application platform, injecting it via the Web  
application that customers use to access account information. The  
script, programmed to run every four days, extracted records, zipped  
them and exported them to an FTP site."

This reads to me like it was a web application hack, but its  
difficult to derive what class of attack. If I had to guess, it was  
probably was an OS Commanding issue in order to write executable code  
onto the file-system.



Regards,

Jeremiah-





---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/