While Target still hasn't said how it was hacked, details about what's thought to be the malware found on the retailer's point-of-sale (POS) systems have surfaced.
Following last week's admission by Target CEO Gregg Steinhafel that the company removed malware from its POS machines, independent security journalist Brian Krebs has uncovered what may be the sample responsible for the December attack that affected upwards of 70 million Target customers.
According to the report by Krebs, a copy of the malware was uploaded to Symantec's malware scanning service ThreatExpert.com on 18 December, three days after Target was alerted to the breach. Some details of the ThreatExpert report (now removed) also match a separate Symantec report published on the same day, pointing to POS malware that Symantec called Reedum, a trojan that searches for credit card data on a compromised computer and sends that data to a local IP.
As Reuters reported earlier this week, the malware is suspected to be a RAM scraper and thought to have been used in a number of smaller breaches in the US that have not been disclosed by affected retailers. The malware seeks out Track 1 and Track 2 data stored on the magnetic strip of a card, which together contain the cardholder's name, account number, credit card number and expiry date.
The Krebs report also says that the sample is nearly identical to POS malware called BlackPOS that's freely available on the malware black market.
(Update) Target declined to comment when asked by ZDNet whether the malware reported by Symantec was the same that it removed from its PoS systems.
According to Andrey Komarov, CEO of US security startup IntelCrawler, a company that's been investigating POS malware infections in the US, BlackPOS is not the malware that was used against Target.
That said, the malware now known as Reedum is similar to BlackPOS, just as other variants of memory-scraping POS malware that have been doing the rounds at retailers in the US over the past year, such as Alina, Stardust and Dexter.
"All of them work with Windows-based back-offices and have typical methods of RAM scraping," said Komarov.
According to Komarov, a number of POS attacks in the US over the past year have been conducted by different hacking groups — often teens — who would gain access to targeted retailers with computers running RDP (remote desktop protocol) servers and brute-force their passwords.
The bad news for credit card shoppers in the US that there appears to be more to come, as hackers realise they can sell massive amounts of stolen credit card details for $80 to $100 a pop, according to Komarov.
The most recent of these is a new POS malware, which debuted on 3 January and is called 'Decebal'. According to Intelcrawler, this malware is likely being operated by Romanian hackers.