A highly regarded cybersecurity firm said Monday that Target Corp.’s monster security breach was anything but sophisticated or exotic.
Countering assertions by Target and the U.S. Secret Service that the hackers were highly technical, security firm McAfee Inc. said they used easily modified off-the-shelf malware and common methods to hide it.
The report said the thieves left card information unencrypted as it was transmitted out, which should have made the breach visible. “It’s all just there in black and white,” said Jim Walter, manager of McAfee’s Threat Intelligence Service. “As an attack, it is extremely unimpressive and unremarkable.”
In a quarterly threats report, McAfee points the finger directly at the nation’s No. 2 discount retailer for a major security miss. The characterization contrasts with other depictions of the attack as highly sophisticated and renews questions about why Target’s IT security team did not catch it and had to be informed by federal agencies that there was a breach.
Target declined to comment specifically on the report.
“While the investigation into this highly sophisticated crime is continuing, we remain committed to understanding the facts and making improvements,” Target spokeswoman Molly Snyder said.
Walter, chief author of the Target section of the McAfee report, emphasized that he is “not passing any sort of judgment” on Target and couldn’t discuss compliance issues.
Thieves acquired personal or payment information for as many as 110 million Target shoppers after gaining access to the retailer’s computer systems through the network credentials stolen from a heating and refrigeration vendor. The attack remains the subject of multiple investigations.
Target’s chief information officer Beth Jacob resigned last week amid an overhaul of the company’s information security operations.
If investigators conclude Target wasn’t complying with industry standards for payment card security, the company will be subject to fines. The company could also be vulnerable to legal claims that it was negligent in its handling of the information.
McAfee is a Santa Clara, Calif., based cybersecurity firm that’s now part of Intel Corp. It is not part of the official Target investigations. According to the report, it gained an understanding of the exact malware used at Target “in cooperation with various agencies.”
In early February Target CFO John Mulligan testified in a Senate committee hearing that the company has invested “hundreds of millions of dollars” in a range of technology security such as segmentation, malware detection, intruder detection and multiple layers of firewalls.
“We have ongoing assessments and third parties coming in doing penetration testing of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards,” Mulligan told the committee.
McAfee’s report, however, paints a picture of a run-of-the-mill, Breach 101 attack.
The malware may have been customized for Target’s systems, but it was“far from ‘advanced,’ ” it said: “The BlackPOS malware family is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”
Thieves not sophisticated
The methods the thugs used to hide the malware on Target’s system were nothing new either, it said, calling it “standard practice” for criminals to evade the anti-malware and controls companies use for protection.
The report said the thieves encrypted neither the instructions on where to send the stolen card data nor the card information itself as it was being transmitted out of Target to a remote server, a data stream that should have been detected and caught.
Walter said in an interview that the thieves hid the malware on Target’s systems with variations of UPX and Armadillo, very common “packers” that created something like a wrapper around the malware.
The report names retailers that suffered point of sale attacks in 2013 including Neiman Marcus, Michaels Stores, hotel manager White Lodging Services Corp., Harbor Freight Tools, Easton-Bell Sports and sandwich chain ’Wichcraft.
“Probably the biggest issue in this attack is that they lacked the situational awareness to identify anomalous occurrence in their environment,” Walter said.