Malware used in Target attack publicized

[azasadny]

Malware used in Target attack publicized


After US retailer Target has confirmed that a malware infection on its Point of Sale (POS) terminals played a key role in the data breach affecting more than 110 million customers, security writer Brian Krebs has published details on the malware used in the attack.
The attackers managed to place an information stealing Trojan, known as Infostealer.Reedum.B on Target's POS terminals. This malware is capable of capturing data that is briefly stored in the memory of the POS device. The information it steals includes the card’s magnetic swipe data, which can potentially allow attackers to print cloned copies of the cards.
Target has yet to publicly comment on how the attackers breached its security to install the malware on POS terminals. However Krebs reported that sources close to the retailer said that the attackers had compromised a company Web server and used that as their point of access. They then established a control server inside Target’s network, which acted as a dump for the stolen information. The attackers logged in at regular intervals to download stolen data.
Symantec can confirm that the malware used in the attack on target was Infostealer.Reedum.B and protection is in place for the threat.
Reedum is just one of a number of pieces of malware that target Point of Sale terminals. Others include:
• Infostealer.Dexter: This Trojan steals system information from infected terminals. It targets login details, the computer name, the operating system, details on system uptime and running processes. It also attempts to collect personal information from system memory files.
• Infostealer.Alina: This Trojan disguises itself as commonly used applications, such as Adobe Flash, Java or the Windows Firewall. It collects information about the terminal it has infected, including the computer name, the path of the threat, the system volume and serial number and the version of the threat. It also enumerates running processes on the infected machine. All of this data is then transmitted to a remote location. This Trojan is also capable of downloading updates for itself when necessary.
• Infostealer.Vskim: Another Trojan designed to steal information from a compromised terminal, this threat disguises itself as svchost.exe, a standard Windows system process. It attempts to bypass the Windows Firewall by creating a registry entry to exempt it from scrutiny. The information it steals includes system locale, the computer name, the user name, the Windows version and information from the registry. This data is then sent to a remote location.

[onewhippedpuppy]

What's scary is that we don't have to worry about those, antivirus systems will update to protect against known threats. It's the new ones that nobody has heard about that will cause the next issue.

[Paul_Heery]

What is really scary is that Target uses a home-grown POS system that runs on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS). Although, they are not alone. These are wide-spread in the retail industry. It just becomes a matter of when they will be compromised, not if.

[dave 911]

Yeah, scary, no doubt....
We really need to move away from magnetic strips on cards to the chip technology that used in Europe. From what I've read, it's not foolproof either, but is less susceptible to compromise. But it would cost the retail world alot of $ to switch all of their systems.

[Head416]

I worked in IT infrastructure in a grocery store, with about 5% the revenue of Target. From the Internet to our web servers there was a firewall, then from there to the internal company network another firewall, then from our internal private network to the payment system network, another firewall. (This is a very simplified description.)

Simply compromising our public web server would not have allowed you to push software to the POS terminals. In addition to Cisco's ability to prevent and detect intrusion (which is far from perfect) all traffic passed through another system that monitored and blocked suspicious traffic (Tipping Point, if anybody is interested.) With Target's money, I'm sure their security made ours look like child's play.

I cannot for the life of me think how this could have been achieved, unless they had somebody on the inside. Even then it's hard to imagine. The most likely source I can think of would be the vendor that provided our POS terminals and their software, which would be hard to imagine. These people are obviously much more skilled than I am.

[biosurfer1]

Quote:

Originally Posted by Head416

With Target's money, I'm sure their security made ours look like child's play.

You might be surprised. Money doesn't always equal smart. Take a look at all the people working at Lehman Bros. who's retirement's were wiped out and they worked for an investment bank.

I wonder if Target handles their own security or if they contract out some.

[Oracle]

Why the hell does Target need to keep the credit cards on file?
Until a company gets a REAL punishment thing like this will continue. Usually just a hand slap with tongue in cheek is given. Once again I'm pi$$ed on how my information is mishandled.

[stomachmonkey]

Quote:

Originally Posted by Oracle

Why the hell does Target need to keep the credit cards on file?
Until a company gets a REAL punishment thing like this will continue. Usually just a hand slap with tongue in cheek is given. Once again I'm pi$$ed on how my information is mishandled.

They did not hack a database.

They inserted themselves between the card reader and the first point of encryption.

Whether Target stores card data or not never came into play.

This was a very sophisticated attack.

They know what it is and still don't know how to detect it, it's that good.

[Oracle]

Quote:

Originally Posted by stomachmonkey

They did not hack a database.

They inserted themselves between the card reader and the first point of encryption.

You got a point there but its because the reader is "integrated" to the POS machine, and that is only to facilitate the transaction by sending to the reader the operation, signals and acknowledgements. Nothing unusual for a retailer but I want to say that I prefer the smaller shop approach in which the cashier types the amount on the card reader and hands it to the client to insert or swipe the card to complete the transaction.

Regardless... always some chit that bad guys are infinitely smarter that the good guys. Places like Target will not invest to be offensive. Customers always get the short straw and the retailer a chuckle from the government.

[notmytarga]

We had used our card at Target during the at risk shopping season. Our bank had a note on line saying that they were aware of the various risks and were monitoring charges and we should/could as well. Nothing was amiss. Until last week.

While I was in the shower mid-morning after a mountainbike ride I missed a text. 20 min later I got a robo-call from my bank asking about a transaction. I was asked about a transaction and then sent to a service rep when it didn't ring true. SO...we get to spend a week without cards and set up all the automatic charges with Pelican etc. The charge - $170 at a Brazilian shoe store. I have had much worse. Although this theft and security weakness is a headache, I am glad that my bank (USAA) has my back.

[dan88911]

It's time to go back to using cash or writing checks.

[stomachmonkey]

Quote:

Originally Posted by Oracle

.....I want to say that I prefer the smaller shop approach in which the cashier types the amount on the card reader and hands it to the client to insert or swipe the card to complete the transaction.

Would not have made a difference with this exploit.

Quote:

Originally Posted by Oracle

Regardless... always some chit that bad guys are infinitely smarter that the good guys. Places like Target will not invest to be offensive. Customers always get the short straw and the retailer a chuckle from the government.

What needs to happen is an upgrade in security / technology investment at the card level which I think you will now see.

The card presents its data in the clear, it has to be read before it can be encrypted / protected. As long as the cards themselves offer no security someone will always find a way to intercept them.