Target data breach part of broader organized attack

Summary: A confidential U.S. government report indicates that the Target data breaches were tied to a broader effort against retailers. New malicious software called KAPTOXA led the attacks.

Target is taking the financial and reputation hit for its customer data breach, but is reportedly part of a much broader cybercrime campaign that apparently runs through the former Soviet Union.

The Wall Street Journal, citing a confidential U.S. government report, reported that the hackers that went after Target spoke in Russian and the attacks were part of a broader effort. Target first reported that 40 million credit and debit card accounts had been compromised. In a follow-up, Target said that 70 million people may have had their personal data compromised.

Given the attacks landed in the peak holiday shopping season, Target took a financial hit and expects that it will face more costs.

More: Cisco's annual security report offers grim outlook for 2014 | Likely candidate for Target breach malware found | Target CEO promises cybersecurity education of the masses | Cisco on major retail hacks: Point-of-sale hardware is the problem | More retailers hit by security breaches; malware found on Target's POS machines | Target's data breach: It gets worse

The U.S. government report, written with the help of iSight Partners, outlined the following:

The attack may have ties to organized crime in the former Soviet Union.
Target's credit card readers had been on the black market since the Spring and were partly written in Russian.
Malware used in the attack couldn't be detected by antivirus software.

The U.S. Department of Homeland Security sent its findings to financial services and retail companies. In a blog post, iSight outlined the following but didn't release too much information.

iSight Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large number of retail information systems. A joint publication has been issued by the Department of Homeland Security, USSS, FS-ISAC and iSIGHT Partners.

Nieman Marcus is the only other retailer to note that its shopper data was compromised during the holiday.

If the iSight and Department of Homeland Security report is correct other retailers are likely to come clean about attacks and compromised customer data. In other words, you can expect a lot more apologies like Target's.

--Target Point-of-Sale (POS) Malware
(January 15 & 16, 2014)
More details are emerging about the malware used to steal data from
payment cards used at Target over an 18-day period late last year.
According to sources familiar with the ongoing investigation, the attack
used memory-scraping malware in Target's point-of-sale systems. The
malware "parses data stored briefly in the memory banks of specific POS
devices" and can capture magnetic stripe data. The attackers appear to
have used a central server in Target to store stolen data and then
transmitted the data to an external FTP server.
http://krebsonsecurity.com/2014/01/a-fi ... n-malware/
http://krebsonsecurity.com/2014/01/a-cl ... e-part-ii/

Target's data breach: No, really. It gets even worse.

Summary: Target and Neiman Marcus were not the only name brand retailers to be stung by cyber criminals last holiday season.



There appears to be no end in sight for just how bad the unprecedented hack attack at Target was last holiday season.

And now it looks like Target was not the lone, er, target, in this particular sting.

We've already heard about a similar style attack on the point-of-sale hardware infrastructure at high-end department store chain Neiman Marcus.

Now Reuters is reporting that cyber intelligence firm IntelCrawler has unearthed evidence pointing toward at least six ongoing schemes at U.S. merchants with credit card processing systems plagued by the same type of malicious software.

The news agency's report did not specify the other retailers afflicted by the attack -- only that the infected systems were at stores with locations in California and New York.

IntelCrawler followed up with a related memo published to its site on Friday, detailing evidence pointing to who could turn out to be the author of the BlackPOS malware that successfully lifted personal data from the magentic strips on the backs of credit cards belonging to more than 70 million Target shoppers between Thanksgiving and mid-December.

According to IntelCrawler's sources, the malware has been tested out and infected point-of-sale hardware across Australia and Canada as well as the United States.

The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve.

The full report and associated screenshots are available on IntelCrawler's website now, with the hypothesis that the "the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013."

--Six Other Retailers Targeted by Data Thieves
(January 17, 2014)
Reports of additional retailers suffering data breaches suggest that the
attacks on Target and Neiman Marcus are part of a larger effort
involving at least half a dozen stores. The same malware appears to have
been used in all of the attacks. The other affected businesses have not
been named.
http://www.govinfosecurity.com/6-more-r ... hed-a-6407
http://news.cnet.com/8301-1009_3-576174 ... ets-worse/

http://www.computerworld.com/s/article/ ... onomyId=17

--Two People Arrested; Carrying Fraudulent Payment Cards
(January 20, 2014)
Two people arrested in Texas were found to have 90 fraudulent payment
cards in their possession. The cards appear to have been fabricated
using information that was stolen in the Target data breach.

http://www.computerworld.com/s/article/ ... onomyId=17

http://www.seattlepi.com/news/texas/art ... 160888.php
http://www.latimes.com/business/la-fi-t ... z2r1DhIHVv
[Editor's Note (Murray): While Target will be pilloried for this breach,
the fundamental vulnerability, that of credit card numbers and PINs to
replay, is not their fault. This is an industry problem for which the
card brands and issuers, not the merchants, bear the major
responsibility. These compromises are the inevitable result of the
failure of the industry to implement a replay resistant technology
(e.g., EMV) on a timely basis.]

--More Details on Neiman Marcus Data Breach
(January 23, 2014)
In a statement on its website, retailer Neiman Marcus says that a
recently acknowledged data breach of point-of-sale systems at stores
affected 1.1 million payment card accounts. The data were stolen between
July 16 and October 30, 2013. Although the FAQ portion of Neiman
Marcus's breach notice says that the company has "no knowledge of any
connection to" the Target breach, the same malware appears to have been
used in both breaches.
http://www.zdnet.com/neiman-marcus-1-1- ... 000025513/
http://www.nytimes.com/2014/01/24/busin ... cards.html

http://www.neimanmarcus.com/NM/Security ... yInfo_0114
[Editor's Note (Murray): Both Target and N-M continue to use the term
"point-of-sale" in their PR even as such little other information as
they have disclosed makes it unlikely that the Windows based malware
could possibly have run at the point-of-sale. While it is possible that
they even think of these servers as part of their point-of-sale system,
use of this term is at best confusing, in some cases obviously
misleading. The likely point of compromise is credentials of privileged
users of payment system servers. The methods of attack are those well
documented by the Verizon Data Breach Incident Report. The appropriate
responses include Strong Authentication for privileged users and
two-step or two-person controls for any change to software on these
systems.
(Paller): Actually it appears the attack did exploit Windows-based point
of sale systems, though the original entry point was likely separate
(wireless are SQL injection are possibilities). The solutions Bill
Murray points out are useful as an interim fix, but a much better fix
is to move to chip and pin credit cards as Europe has done. Sadly, the
credit card companies earn profits on fraudulent transactions - only the
retailers lose money. Unless the retailers stand up, as one, to demand
chip and pin, the credit card companies probably won't make the needed
investment.]

Sears joins Neiman Marcus and Target in the public breach spotlight.
More retailers will be joining their club soon.

--Secret Service and Sears Investigating Possible Breach of Corporate Network
(February 28 & March 1, 2014)
Despite reports that the US Secret Service is investigating a possible
attack on the network of Sears Holding Corp., the company says it has
found no indication of a breach of its systems. Sears is "actively
reviewing [its] systems to determine if [it has] been a victim of a
breach." It is possible that the suspicion of a breach was raised by a
false alarm in banks' anti-fraud systems. Common Point of Purchase
analysis conducted in the wake of another breach could fail to account
for overlapping purchase patterns and set off a false alarm.
http://www.theregister.co.uk/2014/03/01 ... stigation/

http://arstechnica.com/security/2014/02 ... -of-sears/
http://krebsonsecurity.com/2014/02/brea ... defensive/
[Editor's Note (Pescatore): Haven't seen much mention of the Secret
Service in breach investigations in a while. It would be good to see the
US government go back to focusing on cyber-attacks as crime vs. a threat
to national defense.]

--Sands Casino Says Breach Did Compromise Some Customer and Employee Data
(February 28, 2014)
The Las Vegas Sands Casino now says that attackers who breached company
websites in February did compromise customer and employee data,
including Social Security numbers (SSNs) and driver's license numbers.
Initially, the casino said that customer data were unaffected. The
breach affected customers at the casino's Bethlehem, Pennsylvania
location. The Sands is trying to determine if other locations were
affected as well. The breach affects less than one percent of the
Pennsylvania casino's customers since its 2009 opening, but a number was
not provided. The intruders also accessed a mailing database.

http://www.scmagazine.com//las-vegas-sa ... le/336569/

http://www.nbcnews.com/tech/security/sa ... len-n41601

--Illinois Bank Urges People to Stop Using Credit Cards in Cabs in Chicago
(March 3 & 4, 2014)
First American Bank in Illinois is urging cab riders in Chicago to avoid
paying with credit or debit cards, warning of an ongoing data breach
that seems to be connected with card processing systems used by a large
number of taxis in Chicago. First American became aware of the situation
in early February when several customers complained about fraudulent
charges on their accounts. The commonality among the cards was having
been used in Chicago taxis. The bank has begun cancelling the cards of
customers who charge taxi fare and issuing them new ones. The bank has
reported the issue to MasterCard.
http://krebsonsecurity.com/2014/03/illi ... ago-taxis/

http://www.scmagazine.com/bank-reports- ... le/336550/

http://arstechnica.com/security/2014/03 ... customers/
http://www.theregister.co.uk/2014/03/04 ... cash_only/
[Editor's Comment (Murray): The retail payment system, based upon
mag-stripes and credit card numbers, is fundamentally broken. Warning
people not to use it in specified places is the same as saying it is not
safe to use. While issuers push the cost of fraud onto the merchants,
the cost is systemic; we are all paying it. Only the card issuers can
fix it.
(Northcutt): In the US the customer is largely protected if the 16 digit
Primary Account Number (PAN) is compromised. However, when my card gets
exposed because some retailer failed to protect my PAN, I may not lose
money, but I lose time. I have to fix it with my auto insurance, my
water utility, Amazon and who knows how many other providers. I have
been through this three times in the past two years. The best solution
would be multi-factor authentication. If you have followed the last few
issues of NewsBites you can probably guess I am doing research to update
my course on multi factor. I envision a USB key with an embedded chip
that keeps my PAN from being intercepted by a keystroke logger, or a Man
in the Middle attack from my browser and EVEN from my hapless retail
vendor. Instead, it would go directly to the payment gateway and my
vendor would receive a "transaction approved" record. I know about the
iron key solution, if you know about others I would love to hear from
you, (stephen@sans.edu). I know about chip and pin: it is part of the
solution. I think we need to employ it in the U.S. to catch up with the
rest of the world, but it is not THE complete solution:
http://creditcardforum.com/blog/chip-an ... cards-usa/
http://www.sans.org/course/security-lea ... ompression ]

“Today we are announcing that, after extensive discussions, the board and
 Gregg Steinhafel have decided that now is the right time for new leadership at
 Target. Effective immediately, Gregg will step down from his positions as
 Chairman of the Target board of directors, president and CEO. John Mulligan,
 Target’s chief financial officer, has been appointed as interim president and chief executive officer. Roxanne S. Austin, a current member of Target’s board
 of directors, has been appointed as interim non-executive chair of the board.
 Both will serve in their roles until permanent replacements are named. We have 
asked Gregg Steinhafel to serve in an advisory capacity during this transition
and he has graciously agreed.

 The board is deeply grateful to Gregg for his significant contributions and 
outstanding service throughout his notable 35-year career with the company. We
 believe his passion for the team and relentless focus on the guest have
 established Target as a leader in the retail industry. Gregg has created a
culture that fosters innovation and supports the development of new ideas.
 Under his leadership, the company has not only enhanced its ability to
 execute, but has broadened its strategic horizons. He also led the company
 through unprecedented challenges, navigating the financial recession, reacting 
to challenges with Target’s expansion into Canada, and successfully defending 
the company through a high-profile proxy battle.

 Most recently, Gregg led the response to Target’s 2013 data breach. He held
 himself personally accountable and pledged that Target would emerge a better 
company. We are grateful to him for his tireless leadership and will always
 consider him a member of the Target family.

 The board will continue to be actively engaged with the leadership team to 
drive Target’s future success and will manage the transition. In addition to
the appointments of the exceptional leaders noted above, we have also retained 
Korn Ferry to advise the board on a comprehensive CEO search.

 The board is confident in the future of this company and views this transition
as an opportunity to drive Target’s business forward and accelerate the
 company’s transformation efforts.”