The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected from 70 to 110 million customers used an inexpensive “off the shelf” malware available online for as little as $1,800 reports title="krebs on security on target malware attack">Krebs on Security. This malware, known as BlackPOS is likely of Russian origin and may have also been involved in the Neiman Marcus attack—and others allegedly known but not confirmed.
The malware was surreptitiously installed on the embedded Windows OS computers on the point of sale (POS) terminals in all of Target’s U.S. stores. The company’s Canadian outlets apparently use a different software system and were not targeted in the attacks. Although the magnetic stripe information is encrypted on its way out of these POS terminals on its way to the financial institutions for verification, the data is briefly stored in plain text in the unit’s RAM (memory.) Thus, the malware “scrapes” this info from the RAM and stores it until it can be retrieved in batches through a persistent remote connection.
The real weakness, though, is not in the POS terminals but in Target’s central data network. The crooks apparently had an open channel to every POS terminal in every Target store for over two weeks! The price of the malware itself indicates that it’s not rocket science, but neither, I guess, is cracking the whole network.
The POS terminals themselves can be replaced with newer models that encrypt end to end. This will be expensive, but nothing, obviously, compared to the hit that Target has taken thus far. It is surprising that its overall network is so open. The same things that make for convenient remote administration also create huge security holes. WiFi networks have been implcated in previous larger retail breaches, but Target has not specified the vector of the attack. All that Target CEO Gregg Steinhafel was willing to tell CNBC in an interview on Saturday was that, ”We don’t know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we’ve established.’”
According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Brian Krebs of Krebs on Security says he is not ready to confirm this but assures that “when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.” I’ll be looking for that any day now…
– – – – – – – – – – – – – – – – – – – –