Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Target Confirms Point-of-Sale Malware Was Used in Attack

According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.

According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.

Steinfhafel told CNBC’s Becky Quick in an interview that malware was used in attacks that compromised the company’s point of sale registers.

Related Reading: How Cybercriminals Attacked Target

“While Steinfhafel said the full extent of what transpired is not yet known, what Target does know is that malware was installed on the company’ point of sale registers,” Quick wrote Sunday evening. 

Point of Sale Malware Used Against Target, Installed on Registers

“Sunday (Dec. 15) was really day one. That was the day we confirmed we had an issue and so our number one priority was … making our environment safe and secure. By six o’clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk,” Steinhafel told CNBC.

Steinhafel’s comments to CNBC appear to be more of a public relations account of the timeline rather than words coming from Target’s security team, which is not surprising. Depending on how many systems were compromised, remediating the malware infections across many systems in many locations across the country would likely be a significant undertaking.

“Day two was really about initiating the investigation work and the forensic work … that has been ongoing,” Steinhafel continued. “Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification.”

On Friday, high-end department store Neiman Marcus also said that customer credit and debit card information was compromised as a result of a recent cyber attack during a similar time frame to the attack on Target. 

According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season.

“Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target,” Reuters reported, citing sources familiar with the attacks. “Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.”

According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims.

Visa issued alerts about attacks utilizing these types of malware in April 2013 (PDF) and again in August 2013 (PDF).

After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.

Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’s random access memory (RAM).

“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.

“These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”

Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable. According to Visa, these types memory parser malware attacks have been found only targeting Windows-based operating systems.

In March 2013, new malware was found targeting point-of-sale systems and ATMs that was behind the theft of payment card information from several US banks. Called “Dump Memory Grabber, the malware scans the memory of point-of-sale systems and ATMs looking for credit card data.

In April 2013, just days after Visa issued a warning of POS malware attacks, Schnucks Markets, a 100-store grocery chain across the Midwest, said that roughly 2.4 million payment cards used at 79 of its 100 stores were compromised as a result of a previously disclosed cyber attack.

In October 2012, Barnes and Noble said it suffered a data breach resulting in the loss of customer credit card data stemming from compromised point of sale terminals.

In May 2011, craft chain Michaels Stores reported that 90 PIN pads across some of its 995 stores nationwide had been compromised.

“As compliance with the PCI DSS expands, POS systems are increasingly eliminating the practice of storing prohibited data to system disks, thereby preventing attackers from readily obtaining stored data,” Visa explained. “The use of memory parser malware that parses data from volatile memory suggests attackers have successfully adapted their techniques to obtain payment data not written to POS system disks. This method of data extraction is of particular concern, since unencrypted data is commonly written to volatile memory during the transaction process.”

Attackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection, Visa said.

Early this month, US-CERT issued a warning to retailers about malware targeting point-of-sale systems. 

Becky Quick’s full interview with Target CEO Gregg Steinhafel is expected to air Monday (Jan. 13) at 6am ET on CNBC.

AnalysisHow Cybercriminals Attacked Target

Related: Experts Debate How Hackers Stole 40 Million Card Numbers from Target

Related: Exclusive: New Malware Targeting POS Systems, ATMs Hits Major US Banks

RelatedBoston Liquor Store Hit With Point-of-Sale Malware

Related: vSkimmer Botnet Targeting Payment Card Terminals Connected to Windows

Related: Point-of-Sale Hacker Gets Seven Years In Prison

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...