Attackers using techniques similar to those that cracked Target and Neiman Marcus also breached three other well-known but comparatively smaller retailers during the holiday shopping season.
Reuters, which broke the news about the new breaches in a story Jan. 12, didn’t name the companies that were hit, saying only that they are retailers with outlets in U.S. shopping malls and attributing the information to “people familiar with the attacks.”
Reuters’ sources suspect the same group is behind the attacks on Target, Neiman Marcus and the unnamed retailers, but have no concrete evidence indicating those attackers’ identity. Neiman Marcus announced in an e-mail dated Jan. 11 that some customer payment cards had been compromised during the same period as the Target attack. The company confirmed the breach Jan. 1, but neither the email nor subsequent interviews with Neiman Marcus spokespeople have indicated how many customers are affected or how the attack took place.
Target confirmed over the weekend that its massive data breach was due to malware infections on its point-of-sale terminals that allowed attackers to read transaction data from system memory before it was encrypted – a type of attack that has become increasingly common and successful as POS hardware has evolved to include Windows-based, Internet-connected PCs that are more graphical and multifunctional, but also far more vulnerable than the backend-server-controlled dumb terminals of a decade ago.
U.S. Secret Service and Department of Justice officials investigating the Target breach have suggested the attacks may have been organized by organized-crime groups in Eastern Europe. Former Soviet bloc countries including Ukraine, Latvia and others have become bases for self-sustaining underground economies created by approximately 3,600 organized crime groups active in the European Union, according to a March 2013 report from Europol’s European Cybercrime Centre.
As long ago as 2009, half of all major data breaches within the U.S. were committed by organized-criminal groups, according to a 2009 Washington Post story. Many of those groups, according to studies by Verizon Business’ security group and FBI sources, were based in Eastern European countries in which local laws provided some shield for businesses focused on stealing and reselling bank-card data, direct attacks on banks and financial institutions and mini tech-economies based on developing and distributing malware aimed at breaches such as those at Target and Neiman Marcus.
Target, meanwhile, has confirmed that the cause of its data breach was an infection of RAM-parsing malware designed to infect point-of-sale (POS) terminals, then scrape out and save data running through the system’s random access memory (RAM), where it is processed as clear text before being encrypted by transaction applications controlling the terminal. The admission came during a Jan. 12 interview on CNBC with Target CEO Gregg Steinhafel, who defended the company’s decision to wait four days after discovering the breach to warn customers that it had happened and that they might be vulnerable to fraud or identity theft.
Target discovered malware on its POS terminals almost immediately, and eliminated it before 6 P.M. Dec. 15, the day it discovered it had been hacked.
Target focused on forensic investigation Dec. 16, spent Dec. 17 preparing stores and call centers to respond to questions from customers, before beginning to notify customers Dec. 18, Steinhafel told CNBC.
Visa issued alerts in April and again in August, (PDF) warning retailers that it had seen increases in the use of memory-parsing malware that runs either on Windows-based POS hardware or the Back-of-the-House (BoH) servers to “extract full magnetic stripe data in random access memory,” according to the August warning.
The alerts included a warning that the malware often hides by altering or deleting security event logs, and recommended retailers relocate and protect those records, update their malware-signature files more frequently, and use hardware-based encryption on POS systems, as well as keep up with more routine security maintenance procedures such as regular anti-virus scans. Also essential: making sure that secure applications aren’t configured to run in debugging modes, which may increase stability but cause them to save card data in clear text longer than under ordinary circumstances.
A number of retailers were hit with RAM-scraping malware in 2012 and 2013, including the Schnucks Markets grocery chain and Barnes and Noble bookstores, according to SecurityWeek, which has posted a number of stories about malware targeting POS systems and ATMs.
RAM-scraping malware, which can be installed and then controlled remotely by the attackers, is safer and easier than installing skimmers or other hardware that would require attackers actually visit stores they target, according to a March SecurityWeek story. Targeting POS systems is also more efficient than infecting consumer PCs because there are so many fewer of them and the payoff – a continuous stream of card numbers and PINS – lets hackers steal only the most valuable data, rather than having to sift through family photos, spreadsheets from work, and other comparatively low-value data.
A Jan. 2 alert from the U.S. Computer Emergency Response Team (US-CERT) warned that attackers had realized many Windows-based POS systems are connected to the Internet, email systems or other external networks as well as to the BOH servers that control them. Those multiple network connections expose POS systems to the same risk of malware or virus attack as other network-connected devices that can be infected by malicious attachments in email or covert malware downloads from poisoned web sites. POS systems that use either weak log-in credentials or inadequate security are also vulnerable to direct Remote Desktop attacks through either wired or wireless networks within the stores.
Image: Shutterstock.com/Maksim Kabakou