But wait, lets step back, how long from entry until noticing it did they actually stay in?
Well, we could look at statistics and all or we can look at the evidence. In this case, the router password was changed at some point. No idea when. So you get some tech guy to come in and reset it. Well, there goes your evidence from that point. What about the systems themselves maybe? We found a computer in the back that was connected for doing social media for the establishment. This computer was, as expected, infected with multiple viruses going to multiple domains. But they had antivirus, it's the AV company's fault! That's it! no... no it's not. Lets look some more. As it turns out, with all that social media presence all anyone has to do is be friends with them on socialmediasite1 and share an infected page.
But then, how did they get everyone's money? Why is the bank saying thousands went missing overnight to multiple accounts?
With the assistance of the police, and forensics firm comes into play because well, money. They try to recover data from the router and image everything. They then dig through what they have and find a number of other issues.
- The register systems they use has a way outdated linux kernel, which has been exploited.
- Those registered also have outdated vpn software, known to be capable of mitm for vpn traffic.
- The credit card machine itself, has an outdated linux kernel but otherwise pretty solid service structure. But it also has a web interface for management from a computer. They found evidence the web service was exploited, er well... abused, with default credentials no one told them to change. File upload via updating form, changed location, launched from web viewing.
- All communications appear to be coming from a well known vpn service hosted in another country.
Well shit, what now? if we don't pursue this the bank won't let us keep the money they gave us as a business insurance agreement.
So, please take the time to consider your local businesses and the security they uphold. Telling them about security flaws ahead of time may actually prevent this from happening.