Thursday, January 16, 2014

Massive Target credit-card hack: More details emerge

Security expert Bruce Krebs has been scrutinizing the massive hack of the retailer Target, which compromised tens of millions of consumer credit cards.

Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS [point-of-sale] software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps..."

...[Russian security firm] Group-IB [may have linked the attack] to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.

Rumors have been floating around the security community that the POS hardware had been compromised at the supplier before it had even reached Target.

Paul Ducklin at Sophos alluded to this type of attack a few days ago.

Back in 2009, for example, crooks in Australia ripped off McDonalds fast-food outlets that way.

They surreptitiously switched out Macca's official PoS devices for jury-rigged ones... A reverse swap-out some weeks later allowed the crooks to recover their Trojanised devices, and then to read off a month or more of payment card data and PIN codes from covert storage inside the hacked units.

But that sort of scam is hard to perpetrate on a national scale, especially at in-store sales points.

That's why I'm not sure I believe the "poisoned supply chain" proposition. It could happen, but it would seem easier to exploit the POS network from a central point. After all, you need a centralized collection area to gather the data from 40 million freaking credit cards.

That's where so-called RAM scraping malware comes into the picture.

RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register, albeit briefly.

This happens as the data is transferred from the PoS terminal to the PoS register.

Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network.


So a RAM scraping botnet can be used to look out for credit-card-like data popping up in memory on an infected computer.

The bot then grabs the data before payment processing has even taken place, and squirrels it out

No law-abiding citizen can condone such a crime, but one can simply marvel at the creativity required to pull it off.


Hat tip: BadBlue Tech News

1 comment:

Unknown said...

If you have already been declined on your application the very first thing you must do is stop. Do not Have you heard of a bad credit history Home Depot Credit Card?