There are still more questions than answers about the Target data breach, but new insights are emerging that shine a light on the point-of-sale (POS) attack. According to Seculert, Dexter, a custom-made malware that’s been springing up over the last few months to infect POS systems, isn’t the culprit in the breach, which affected at least 70 million customers.
“First, the malware that infected Target’s checkout counters (POS) extracted credit numbers and sensitive personal details,” Seculert’s Aviv Raff wrote in a blog post. “Then, after staying undetected for six days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network."
With Dexter, on the other hand, malware injected into files hosted on Windows servers scrapes credit card numbers as they’re entered through the POS system.
According to Seculert, the malware in the Target breach began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked Web site on Dec. 2. These transmissions occurred several times a day over a two-week period. The cybercriminals behind the attack used a virtual private server located in Russia to download the stolen data from the FTP, the firm reports.
“They continued to download the data over two weeks for a total of 11 GBS of stolen sensitive customer information,” Raff said. “While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.”
A Key Lesson Learned
We caught up with Dwayne Melancon, chief technology officer at TripWire, to get his views on the latest revelations surrounding the Target breach. He told us identifying the malware used and how data was exfiltrated in the Target attack is helpful but one of the key questions in this breach is how every point of sale device in every Target store in the U.S. was compromised.
“This fact seems to indicate that the compromise came from deep inside Target’s network and implies that the attackers had detailed knowledge of Target’s infrastructure, as well as their patching and software deployment practices,” Melancon said. “This knowledge would allow them to craft an attack designed to take advantage of specific blind spots in Target's security infrastructure.”
As he sees it, this kind of insider knowledge could have come from someone currently at Target or, perhaps more likely, from a past employee or a trusted business partner. Predictability is, in itself, vulnerability, he said, so if attackers know what you're going to do before you do it, it is easy to craft an attack that takes advantage of your habits. (continued...)