One piece of the puzzle in the Target data breach that has rocked the retail industry has finally been put into place: It appears that malware was the main culprit in the theft of millions of credit card numbers from the retailer’s point-of-sale systems.
In an interview with CNBC, Target CEO Gregg Steinhafel confessed that somehow, malware was installed at the access points of its POS machines. He points out that Target responded quickly once it detected the malware, but it was too late to prevent millions of credit card numbers from being snatched up by the hackers.
“Sunday [Dec. 15] was really day one. That was the day we confirmed we had an issue, and so our No. 1 priority was ... making our environment safe and secure. By six o'clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk,” Steinhafel said to CNBC.
Brian Krebs, a security expert and blogger, pinned down a source close to the Target breach investigation, and what he reports is alarming.
The malware injected into Target’s registers was designed to bypass anti-malware software explicitly. But it wasn’t entirely unknown in IT security circles, as it appears that the malware used in the Target attack is related to a POS malware strain that Symantec identified in December as “Reedum.”
Krebs’ source and investigations so far lead him to believe that the malware used in the Target attack appears to be identical to a piece of malware called BlackPOS.
The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.
That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system.
According [to] the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.
Assuming the people behind the attack purchased BlackPOS and then deployed it on Target’s registers, spending a few thousand dollars for some malware code and netting 40 million credit card and PIN numbers in return is a steal.
Target hasn’t yet revealed how the hackers were able to break into their POS network, although Krebs’ source does say they got through via a compromised web server. But the details that continue to emerge from the case are certainly an eye-opener for every retailer out there.