Security Experts:

Target Confirms Point-of-Sale Malware Was Used in Attack

According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.

Steinfhafel told CNBC’s Becky Quick in an interview that malware was used in attacks that compromised the company’s point of sale registers.

Related Reading: How Cybercriminals Attacked Target

“While Steinfhafel said the full extent of what transpired is not yet known, what Target does know is that malware was installed on the company' point of sale registers,” Quick wrote Sunday evening. 

Point of Sale Malware Used Against Target, Installed on Registers

"Sunday (Dec. 15) was really day one. That was the day we confirmed we had an issue and so our number one priority was ... making our environment safe and secure. By six o'clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk," Steinhafel told CNBC.

Steinhafel's comments to CNBC appear to be more of a public relations account of the timeline rather than words coming from Target's security team, which is not surprising. Depending on how many systems were compromised, remediating the malware infections across many systems in many locations across the country would likely be a significant undertaking.

"Day two was really about initiating the investigation work and the forensic work ... that has been ongoing," Steinhafel continued. "Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification."

On Friday, high-end department store Neiman Marcus also said that customer credit and debit card information was compromised as a result of a recent cyber attack during a similar time frame to the attack on Target. 

According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season.

"Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year."

According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims.

Visa issued alerts about attacks utilizing these types of malware in April 2013 (PDF) and again in August 2013 (PDF).

After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.

Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’s random access memory (RAM).

“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.

“These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”

Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.

In March 2013, new malware was found targeting point-of-sale systems and ATMs that was behind the theft of payment card information from several US banks. Called "Dump Memory Grabber", the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.

In April 2013, just days after Visa issued a warning of POS malware attacks, Schnucks Markets, a 100-store grocery chain across the Midwest, said that roughly 2.4 million payment cards used at 79 of its 100 stores were compromised as a result of a previously disclosed cyber attack.

In October 2012, Barnes and Noble said it suffered a data breach resulting in the loss of customer credit card data stemming from compromised point of sale terminals.

In May 2011, craft chain Michaels Stores reported that 90 PIN pads across some of its 995 stores nationwide had been compromised.

"As compliance with the PCI DSS expands, POS systems are increasingly eliminating the practice of storing prohibited data to system disks, thereby preventing attackers from readily obtaining stored data," Visa explained. "The use of memory parser malware that parses data from volatile memory suggests attackers have successfully adapted their techniques to obtain payment data not written to POS system disks. This method of data extraction is of particular concern, since unencrypted data is commonly written to volatile memory during the transaction process.”

Attackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection, Visa said.

Early this month, US-CERT issued a warning to retailers about malware targeting point-of-sale systems. 

Becky Quick's full interview with Target CEO Gregg Steinhafel is expected to air Monday (Jan. 13) at 6am ET on CNBC.

AnalysisHow Cybercriminals Attacked Target

Related: Experts Debate How Hackers Stole 40 Million Card Numbers from Target

Related: Exclusive: New Malware Targeting POS Systems, ATMs Hits Major US Banks

RelatedBoston Liquor Store Hit With Point-of-Sale Malware

Related: vSkimmer Botnet Targeting Payment Card Terminals Connected to Windows

Related: Point-of-Sale Hacker Gets Seven Years In Prison

Subscribe to the SecurityWeek Email Briefing
view counter
view counter