The government put U.S. retailers on alert Thursday that the sophisticated data heist operation that struck Target Corp. has likely infected other companies with malicious software.
Federal authorities investigating the huge holiday security breach issued a confidential technical bulletin to merchants with detailed descriptions of the point-of-sale malware that hackers used to attack Target, seeking out other victims and offering strategies for retailers to protect themselves.
Tiffany Jones, a senior vice president with the security intelligence firm iSIGHT Partners in Dallas, said her firm worked on the report with the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center, an industry group.
“The use of malware to compromise point-of-sale systems is not new, but it’s the first time we’ve seen this kind of operation at this scale and sophistication overall,” Jones said in an interview. “It has the ability to potentially infect a large number of retailers.”
A separate report that iSIGHT sent its clients said that the firm, the Secret Service and the cybersecurity arm of the Department of Homeland Security began working together on the issue Dec. 18. That was the day that blogger Brian Krebs broke the story on www.krebsonsecurity.com about Target’s data security breach.
The new malware variant, dubbed Trojan.POSRAM, extracts payment card details from point-of-sale systems and was derived from another type of malware known as BlackPOS, the report said. At the time the new malware was discovered, it hadn’t yet been detected by any antivirus defenses.
Authorities have dubbed the point-of-sale operation KAPTOXA.
Links to Russia
Jones said two reports went out, the confidential one to retailers and a second to iSIGHT clients, with similar information on the malware.
The iSIGHT report doesn’t mention Minneapolis-based Target by name but describes a new malware variant “associated with the KAPTOXA operation which is behind a large-scale point-of-sale’’ cybercrime.
The report did not identify any culprits, but said the use of malware to target point-of-sale systems is accelerating.
“Significantly, POS malware that includes memory scraping capabilities has been available in the Russian language underground for some time,” the report said. “While Eastern Europe has been the focal point for POS malware development and use, cybercriminals in Brazil have used the technique since at least 2009.”
The report confirms Krebs’ account of how the Target data breach occurred. It also confirmed Krebs’ assertion that the Target breach software “was derived from” the BlackPOS malware program, which has been linked to an underground of Russian-speaking hackers.
Krebs told the Star Tribune on Thursday that he thinks a hacker he profiled on his blog in December, a man he identified as a Ukrainian nicknamed Rescator, is key to the Target heist.
“It sure looks like he could be at the center of this,” Krebs said. “This would be an elaborate hoax if it were not connected to this guy.
“There’s a tremendous amount of malicious software involved here,” he added.
The scope of the 19-day data breach at Target that started on Black Friday has grown since Target first confirmed in December that information of 40 million accounts was stolen.
Last week the retailer divulged that the personal information of 70 million customers was also exposed during the breach, although it remains unclear how much overlap there is with the initial 40 million accounts that were compromised.
The crime is among the country’s largest known data breaches.
Quoting unnamed sources, Krebs wrote Thursday that the malware used to infect Target point-of-sale terminals resembles BlackPOS, a program that can be purchased online for $1,800 to $2,300. The malicious software is designed to remain invisible to most computer security software, wrote Krebs, a former Washington Post reporter who specializes in computer security issues.
Target server targeted
Krebs said that the hackers broke into Target through a Web server computer, planted the malicious software on the company’s point-of-sale terminals and set up a “control server” within Target’s internal network where the infected sale terminals could dump the stolen card information.
The thieves were able to regularly connect to the compromised Target computer server to remove the latest batches of stolen card information, Krebs wrote.
Krebs wrote that Group-IB, a Russian security firm, believes that the creator of BlackPOS, who goes by the online nickname Antikiller, is linked “to a set of young Russian and Ukrainian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.”
The same software used to attack Target in November may have been used in previous bank hacking incidents, Krebs wrote. He quoted Group-IB as saying the victims included some major U.S. banks, including Chase, Capital One and Citibank.
Alarm over the security breach has grown as new details have emerged, and Target officials will discuss the infiltration of the company’s computers at a U.S. House hearing in the first week of February.
A subcommittee of the House Committee on Energy and Commerce will conduct the hearing. Government officials and other witnesses will also testify.