Security researcher finds clues to malware in Target heist
Security researcher finds clues to malware in Target heist
Brian Krebs reports that the malware used to steal millions of customers' payment card information was uploaded through a compromised server.
January 15, 2014 9:00 PM PST
While Target has said hackers used malware installed on point-of-sale terminals to pilfer the payment card information from millions of customers, the retailer has been silent about how the malware siphoned off the sensitive data.
CEO Gregg Steinhafel confirmed this week that malware installed on checkout keypads was used to steal the names, mailing addresses, phone numbers, and e-mail addresses of as many as 110 million customers. Sources have told Reuters that one of the tools used by the thieves was a memory scraper, which harvests encrypted data as it moves through the computer's memory in plain text.
A Target representative declined to provide additional information on the malware used in the attack, citing the ongoing investigation into the theft.
However, security researcher Brian Krebs reported Wednesday that the malware has been linked to intrusions as far back as last June. Krebs, who broke the story about the Target security breach in December, said sources had told him that the thieves broke in through a compromised Web server.
"Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target's internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices," Krebs wrote.
Krebs said the malware is "nearly identical" to BlackPOS, a cybercrime product that records payment card data from comprised keypads. Selling for as much as $2,300 on cybercrime forums, the malware is designed to avoid detection by firewall software.
Target, which suffered its breach between November 27 and December 15, was not the only US retailer to experience a security breach during the holiday shopping season. Upscale department store Neiman Marcus confirmed on Friday that its database of customer information was hacked last month around the same time as the attack on Target. Additionally, Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be publicly revealed.
