The cause of a recent data breach at retailer Target that exposed as many as 40 million customers' credit card information has been identified.

Malware identified in Target POS data breach

on Feb 19, 14 • by Chris Bubinas • with No Comments

The cause of a recent data breach at retailer Target that exposed as many as 40 million customers' credit card information has been identified...

Home » Software Security » Malware identified in Target POS data breach

The cause of a recent data breach at retailer Target that exposed as many as 40 million customers' credit card information has been identified. Target CEO Gregg Steinhafel acknowledged in an interview with CNBC that the data theft was the result of malware, which security blogger Brian Krebs has identified as most likely a RAM scraping kit called Reedum. The incident, the most high-profile in a wave of point-of-sale attacks, offers an important software security reminder for developers working on POS and payment processing systems.

Reuters recently reported that the attack used a simple piece of RAM scraping software. The publication noted that other retailers, including Neiman Marcus and at least three smaller stores, had been hit with similar attacks during the same period.

According to KrebsOnSecurity, the malware was first identified by security experts on Dec. 18, three days after Target learned of the breach and the day the news of it broke. It is identified by Symantec as "Reedum," and it closely resembles another popular POS malware called BlackPOS, which is designed to bypass firewalls and record all data swiped from credit or debit cards. BlackPOS retails on the black market for $1,800 to $2,300 depending on the version. Reedum was designed to be undetectable, and, at the time it was installed in Target's environment, it was not in the database of any antivirus tool, a source close to the investigation said.

The Target attack was apparently carried out by hackers who breached a company Web server, used that access to load the Reedum malware onto store POS machines and created a control server on Target's internal network to gather all the data collected, the source told KrebsOnSecurity.

"The bad guys were logging in remotely to that [control server], and apparently had persistent access to it," the source explained. "They basically had to keep going in and manually collecting the dumps."

Protecting POS systems
The Target POS devices in the U.S. are powered by a proprietary, Windows-based software called Domain Center of Excellence, according to KrebsOnSecurity sources. That means that the attack on the company closely resembles other uses of memory-parsing POS malware that have occurred in recent years, Andrey Komarov, CEO of security startup IntelCrawler, told ZDNet. Programs like Alina, Stardust and Dexter all operate similarly to BlackPOS or Reedum.

"All of them work with Windows-based back offices and have typical methods of RAM scraping," Komarov explained.

The recent attacks have been carried out by a number of different groups – many of them teenagers – and show no sign of slowing down as the market for credit card data continues to flourish, Komarov said. For developers of POS systems, that means that more precautions may need to be taken to harden their tools against malware. Adopting static analysis software and code review techniques as part of a secure development lifecycle can help companies minimize the attack surface in sensitive applications and design more robust POS systems. With high-profile attacks on Target and other retailers, such precautions are essential.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Learn more:
• Watch the webinar, Catch the Security Breach Before It’s Out of Reach
• Read the SD Times article, How can you keep your security one step ahead? (PDF)

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top