Retail Breach - Who is Next?

Update: Retail Breaches Spread. Point of Sale Malware A Suspect.

Reuters is reporting on Monday that the recently disclosed hack of box store retailer Target Inc. was just one of a series of attacks against U.S. retailers, including Target, the luxury department store Neiman Marcus and other, as-yet-unnamed companies.*

Neiman Marcus logo
Neiman Marcus was the latest major retailer to acknowledge that its network had been breached by cyber criminals.

The story adds to other, recent revelations, including the breach at Neiman Marcus, which was first disclosed by the security blog Krebsonsecurity.com on Friday. Also on Monday, Target CEO Gregg Steinhafel confirmed that his company was the victim of malicious software installed on point of sale (PoS) systems at the store.

According to the Reuters report, Target Corp and Neiman Marcus are just two retailers whose networks were breached over the holiday shopping season. The story cites unnamed sources “familiar with attacks,” which have yet to be publicly disclosed.

Breaches of “at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target,” according to Reuters report. Those breaches may be linked to other, similar breaches that took place earlier in 2013. 

Law enforcement sources quoted in the story have pointed the finger at eastern european cyber criminal gangs, but no firm links have been cited between the various security incidents, nor have any links to named cyber criminal groups been disclosed.

The attacks in question relied on malware that used a technique called “RAM scraping,” grabbing unencrypted card data from the random access memory used by the point of sale terminals.

That was the case at Target, according to CEO Steinhafel, who told CNBC’s Becky Quick in an interview that malware was installed on the company’s point of sales terminals.

“What we do know is that there was malware installed on our point of sale registers. That much we’ve established” he said, admitting that the company is still investigating the incident and doesn’t know the full extent of what happened on its network.

“These point of sale malware will scrape the RAM and look for the track data, which is sent to the cyber criminals,” said Dave Loftus, a Research Analyst at Arbor Networks and an expert on point of sale malware. “We see a lot of similar infection vectors. We see a lot of exfiltration and checking into C&C using common protocols like HTTP. Dexter uses HTTP posts and a lot of other malware will use GET requests,” Loftus said, noting common methods to transmit data and requests using HTTP, the web’s main authoring language.

Arbor has been tracking a number of point of sale malware variants, including multiple variants of the Dexter malware with names like ‘Stardust’ and ‘Revelation,’ as well as other malware families including Citadel and Project Hook. The malware steals Track 1 and Track 2 information stored on the magnetic stripes used on payment cards.

“We’re tracking nine types of PoS malware and there’s more than that. We’ve got more on the way,” said Curt Wilson a Senior Research Analyst at Arbor.

Point of Sale Terminal
US CERT warns that Point of Sale terminals are vulnerable to malware infection.

Last week, U.S. CERT issued a warning about the increasing use of point of sale malware. In the alert, CERT advised owners and operators of PoS systems  to increase the security of POS systems by employing strong passwords and getting rid of any system default passwords on their PoS systems. Point of Sale terminals should be updated to the latest software version available and use firewalls to block access from outside and within the corporate network, and anti-malware software to stop malicious programs, whenever possible. Finally, local access using USB thumb drives or other external media should be prohibited, CERT said.

Wilson of Arbor Networks said that the spate of recent breaches has gotten the attention of other businesses. He advises customers that detect point of sale malware on their system should investigate it – and quick. “Obviously prevention is key. But if you can’t prevent, then detect it as quickly as you possibly can and then take action – because you have a real problem.”

(*) Updated to include news of Target CEO’s interview with CNBC, where he acknowledges the use of PoS malware in that attack. – Paul 1/13/2014

Comments are closed.