Federal bulletin offers strategies to protect customer data.
The government put U.S. retailers on alert Thursday that the sophisticated data heist operation that struck Target Corp. has likely infected other companies with malicious software.
Federal authorities investigating the huge holiday security breach issued a confidential technical bulletin to merchants with detailed descriptions of the point-of-sale malware that hackers used to attack Target, seeking out other victims and offering strategies for retailers to protect themselves.
Tiffany Jones, a senior vice president with the security intelligence firm iSIGHT Partners in Dallas, said her firm worked on the report with the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center, an industry group.
“The use of malware to compromise point-of-sale systems is not new, but it’s the first time we’ve seen this kind of operation at this scale and sophistication overall,” Jones said in an interview. “It has the ability to potentially infect a large number of retailers.”
A separate report that iSIGHT sent its clients said that the firm, the Secret Service and the cybersecurity arm of the Department of Homeland Security began working together on the issue Dec. 18. That was the day that blogger Brian Krebs broke the story on www.krebsonsecurity.com about Target’s data security breach.
The new malware variant, dubbed Trojan.POSRAM, extracts payment card details from point-of-sale systems and was derived from another type of malware known as BlackPOS, the report said. At the time the new malware was discovered, it hadn’t yet been detected by any antivirus defenses.
Authorities have dubbed the point-of-sale operation KAPTOXA.
Links to Russia
Jones said two reports went out, the confidential one to retailers and a second to iSIGHT clients, with similar information on the malware.
The iSIGHT report doesn’t mention Minneapolis-based Target by name but describes a new malware variant “associated with the KAPTOXA operation which is behind a large-scale point-of-sale’’ cybercrime.
The report did not identify any culprits, but said the use of malware to target point-of-sale systems is accelerating.
“Significantly, POS malware that includes memory scraping capabilities has been available in the Russian language underground for some time,” the report said. “While Eastern Europe has been the focal point for POS malware development and use, cybercriminals in Brazil have used the technique since at least 2009.”
The report confirms Krebs’ account of how the Target data breach occurred. It also confirmed Krebs’ assertion that the Target breach software “was derived from” the BlackPOS malware program, which has been linked to an underground of Russian-speaking hackers.
Krebs told the Star Tribune on Thursday that he thinks a hacker he profiled on his blog in December, a man he identified as a Ukrainian nicknamed Rescator, is key to the Target heist.
“It sure looks like he could be at the center of this,” Krebs said. “This would be an elaborate hoax if it were not connected to this guy.
“There’s a tremendous amount of malicious software involved here,” he added.
The scope of the 19-day data breach at Target that started on Black Friday has grown since Target first confirmed in December that information of 40 million accounts was stolen.
Last week the retailer divulged that the personal information of 70 million customers was also exposed during the breach, although it remains unclear how much overlap there is with the initial 40 million accounts that were compromised.