Likely candidate for Target breach malware found

Likely candidate for Target breach malware found

Summary: The hunt for the malware that's affected nearly a third of the US is on - and it could have all been done by a few teenagers, according to security researchers.

TOPICS: Security, Malware

While Target still hasn't said how it was hacked, details about what's thought to be the malware found on the retailer's point-of-sale (POS) systems have surfaced.

Following last week's admission by Target CEO Gregg Steinhafel that the company removed malware from its POS machines, independent security journalist Brian Krebs has uncovered what may be the sample responsible for the December attack that affected upwards of 70 million Target customers.

According to the report by Krebs, a copy of the malware was uploaded to Symantec's malware scanning service on 18 December, three days after Target was alerted to the breach. Some details of the ThreatExpert report (now removed) also match a separate Symantec report published on the same day, pointing to POS malware that Symantec called Reedum, a trojan that searches for credit card data on a compromised computer and sends that data to a local IP.

As Reuters reported earlier this week, the malware is suspected to be a RAM scraper and thought to have been used in a number of smaller breaches in the US that have not been disclosed by affected retailers. The malware seeks out Track 1 and Track 2 data stored on the magnetic strip of a card, which together contain the cardholder's name, account number, credit card number and expiry date.

The Krebs report also says that the sample is nearly identical to POS malware called BlackPOS that's freely available on the malware black market.

(Update) Target declined to comment when asked by ZDNet whether the malware reported by Symantec was the same that it removed from its PoS systems.

According to Andrey Komarov, CEO of US security startup IntelCrawler, a company that's been investigating POS malware infections in the US, BlackPOS is not the malware that was used against Target.

That said, the malware now known as Reedum is similar to BlackPOS, just as other variants of memory-scraping POS malware that have been doing the rounds at retailers in the US over the past year, such as Alina, Stardust and Dexter.

"All of them work with Windows-based back-offices and have typical methods of RAM scraping," said Komarov.

According to Komarov, a number of POS attacks in the US over the past year have been conducted by different hacking groups — often teens — who would gain access to targeted retailers with computers running RDP (remote desktop protocol) servers and brute-force their passwords.

The bad news for credit card shoppers in the US that there appears to be more to come, as hackers realise they can sell massive amounts of stolen credit card details for $80 to $100 a pop, according to Komarov.

The most recent of these is a new POS malware, which debuted on 3 January and is called 'Decebal'. According to Intelcrawler, this malware is likely being operated by Romanian hackers.

More on this story

Topics: Security, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Seems to have been 100% totally preventable

    Its a Target IT failure even if it was an inside job it should have been detected and prevented. I bet Neiman Marcus will be similar.
  • So after all the people here jumping up and down about MS Servers

    it turns out it was a mag swipe scrape after all. I told you the back end servers were irrelevant. Attackers always go after the weak link in the chain, which was, as it usually is, the cards themselves.
    • Yes, it was a mag swipe scrape...

      but you seem to be overlooking how Reedum got into the environment in the first place.

      I'm not attacking MS or their servers, as nobody's talking yet about how it got introduced in this particular case, but the malware didn't get onto the POS terminals via a Jedi mind trick.
      • My experience in this industry is

        that hackers tend to swipe out the pin pad - requires no system hacking, for the most part. They will carry an identical device, distract the sales clerk, temporarily put the look alike device in place, take the vendor's out to their car, tamper with the device, distract the clerk again, and re-place the tampered device.

        This requires no l33t hack skills, just some components which black market types share easily.
        • But…

          They didn't put swipers on registers on 1800 stores around the USA simultaneously. They infiltrated the register servers and downloaded the software right to the registers.
          • Exactly...

            The sheer volume of this breach is a strong indication that this wasn't a manual, analog hack.
        • Target is not a gas station where your theory has been used...

          Target had over 1800 locations compromised, times perhaps 10-15 readers at each store, maybe more. They could not swap that many devices in a day even if the store was closed, nobody was watching, and the cameras were off.
    • Did you read the article?

      They are saying servers connected to the registers were infiltrated. Sure it wasn't MS server software. It was the human vector of weak passwords, remote access turned on, and possibly insecure connection (non-VPN) to the servers running RDP. Which all spells lax security protocols and negligence of the IT part of Target.
      • Agreed

        The good news (if there is any) is that retailers are now scrambling to close the holes they should never have left open. I would think that a good place to start would be an air gap around their whole POS and back end.
  • Poor Quality Credit Cards!!!

    Pure and simple, the current credit cards and debit cards used by almost all companies in America are not really secure, just easy to use. When we get the Euro style cards here, it should make those kind of events rare. Not hearing of those kind of goings on in Europe. There is little we can do as Users in a case like this. Maybe Cash is not such a bad alternative when purchasing things. I don't think that any of us should feel comfortable when using a credit or debit card in the next year or two. They should have thought this out years ago and implemented the most secure method of getting customer information. A 6 or 8 digit PIN code for both debit and credit cards seems to be a good start. With the ease of use of credit cards in this country, it is no wonder that the Target problem surfaced. Doing something to prevent that kind of thing again is the paramount job of credit card and debit card issuers.
    • On the right track ...

      but go one step further and hold the issuing financial institutions somewhat responsible for uncovering fraud. Software analytics can determine unusual card activity and stop fraud but not allowing transactions that don't pass the sniff test. If I use my card in Colorado in the morning and in the afternoon merchandise is being purchased from an IP address geolocated in Virginia with a shipping address to Washington, the transaction is automatically declined and an automated message and email go out to the card holder's phone number and email address of record. I know that this type of analytic resource is currently in use with some financial institutions, but it needs to be more prevalent.
      Oh, and take away all tax write offs for financial institutions for fraud related losses. They will be forced to take their security seriously and spend more resources on loss prevention. It's a Win-Win; more tax revenue for the politicians to waste and more jobs created in the IT security sector ....
      • Of course... that means the credit card company has to be tracking you...

        And knowing what , when , where, and how you bought it, and how much you spent.
        • You are already being tracked by the retailer or card issuer...

          You are already being tracked by the retailer or card issuer...not all are using the data, but it is there. I have been contacted by phone call or email more than once by a VISA or Master Card issuing bank when they detected fraud usage patterns. Two were valid since I was traveling, two were attempts to buy gas 2000 miles from my location. My cards were immedately re-issued by the bank or the pin changed, depending on the situation. One bank was CitiBank, I think the other was CapitalOne or Chase but I don't remember. You can also set $ limits through their websites to alert you of transactions or balances over $xxx.xx. I set mine at $300, which is more than I usually put on a card or a single transaction. The email will get me working on the possibility of fraud that I would not know about until I received my monthly statement cycle days or weeks later.
    • I Agree. It's all about "the cost", not security.

      Right now it would cost merchant and retailers X amount of dollars to convert to that type setup, and they don't want to spend it.

      Especially when they'll get paid under the current system, and the bank will get paid via their insurance.

      It's like the "Verified by Visa" where online purchases also need me to verify it with a password, not on the retailer's site, but at Visa. A hacker would need to hack both sites to steal info to let the card be used someplace else, if all sites used that technology.

      But of course it's all optional by the online retailers if they want to use it or not, as there are costs involved to set up and be able to comply with the requirements, so it'll never happen.
  • Widespread problem with relatively easy steps to prevent

    Last Spring, the Secret Service advised a client of mine that it had noted a breach of the client's POS system by a similar piece of malware. The Secret Service was involved because Romanian hackers had similarly infected thousands of systems. The POS system met all required security standards, but the company responsible for the upkeep of the system had a LogMeIn password compromised, making the system accessible.

    The malware was capable of hiding, lying dormant, and updating itself. It was undetectable by up-to-date virus and malware scans. When activated, it scraped the data between the POS and hard drive, which enabled it to evade the built-in protections. The only solution was to replace the hardware and software, etc. and program the router to allow transmissions only to one IP address (that of the credit card processor). Our conclusion was that only extremely strong passwords and the router protections would have worked to prevent it.

    The Secret Service asked us not to disclose what happened because it was still trying to catch the offenders. Seems like it has not succeeded almost a year later.

    Oddly enough, while some of the stories hint at the cause, none I have read to date encourage very strong passwords for RDA or locked down routers.
    • I question

      Why LogMeIn is being used to access a POS system in the first place?
  • Just Suppose . . .

    "it could have all been done by a few teenagers, according to security researchers."

    Who are these researchers? They wouldn't be NSA employees, would they?

    Something of this nature is a little more sophisticated than the average teenager hacker is likely to be involved in. The description of the attack vector makes it probable that the prime raison d'être was money; i.e. a criminal enterprise such as those we've seen emanating form Russia or China in the past decade or so. Though "criminal" also points towards the national security apparatus of the USA.

    And having captive news outfits push the "teenager" accusation is likely just disinformation.
  • Target's Malware

    All this talk of maybe finding Target's culprit malware was probably leaked to the net to falsely cover the tracks and hide the trail of the real malware.

    Give the malware tracking community a false trail to follow and move if it's true!