Target data breach part of broader organized attack

Target data breach part of broader organized attack

Summary: A confidential U.S. government report indicates that the Target data breaches were tied to a broader effort against retailers. New malicious software called KAPTOXA led the attacks.

TOPICS: Security

Target is taking the financial and reputation hit for its customer data breach, but is reportedly part of a much broader cybercrime campaign that apparently runs through the former Soviet Union.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

The Wall Street Journal, citing a confidential U.S. government report, reported that the hackers that went after Target spoke in Russian and the attacks were part of a broader effort. Target first reported that 40 million credit and debit card accounts had been compromised. In a follow-up, Target said that 70 million people may have had their personal data compromised.

Given the attacks landed in the peak holiday shopping season, Target took a financial hit and expects that it will face more costs.

More: Cisco's annual security report offers grim outlook for 2014 | Likely candidate for Target breach malware found | Target CEO promises cybersecurity education of the masses | Cisco on major retail hacks: Point-of-sale hardware is the problem | More retailers hit by security breaches; malware found on Target's POS machines | Target's data breach: It gets worse

The U.S. government report, written with the help of iSight Partners, outlined the following:

  • The attack may have ties to organized crime in the former Soviet Union.
  • Target's credit card readers had been on the black market since the Spring and were partly written in Russian.
  • Malware used in the attack couldn't be detected by antivirus software.

The U.S. Department of Homeland Security sent its findings to financial services and retail companies. In a blog post, iSight outlined the following but didn't release too much information.

iSight Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large number of retail information systems. A joint publication has been issued by the Department of Homeland Security, USSS, FS-ISAC and iSIGHT Partners.

Nieman Marcus is the only other retailer to note that its shopper data was compromised during the holiday.

If the iSight and Department of Homeland Security report is correct other retailers are likely to come clean about attacks and compromised customer data. In other words, you can expect a lot more apologies like Target's.

target letter


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Simply

    make the penalty too severe to justify the gain. Start shooting them in the streets. See, simple.
    • even better

      I would really like to watch you going to Russia and shooting at mafia...
      • A New Reality

        TV show could be made out of these sequence of events. timspublic1 may not like the eventual ending.
        David Wilson
    • how about holding m$ responsible

      for 30 years of virus infested, NSA backdoor included, security is (not even) an afterthought software ?
      • Rush out to your neighborhood lawyer and make it a class action suit

        Why just bellyache about it.
      • perfect storm

        Those who sowing the seed of the wind may end up to harvest the perfect storm.
  • The Tip of the iceberg.

    Target is the harbinger of thinks to come with PayPal and other pimping mobile credit card and POS apps. I am starting to think I need to go back to checks and cash and leave the smart phone and cards in my pocket.
    • The Tip of the iceberg.

      I already did several years ago. How many ways do I have to say NOT SECURE! No debit cards... not federally covered for losses. No credit cards... tired of being ripped off by BOA Chase Wells Fargo.. etc. NO on line or electronic transactions are allowed. I called and asked electronic processing through TeleCheck be blocked which requires them to deposit a check. If not using TeleCheck and using some processor I cannot get in touch with to block ACH processing... I walk leaving goods on the counter. Only use a local non profit credit union for ALL financial activity.

  • CEO should have run his letter by IT first

    I am glad that I did not shop at Target. I would have been SO ANGRY if I were a customer receiving this patronizing letter. The advice to customers is presumptuous and basically garbage. Not only useless, but possibly dangerous to follow. I would be worried that Target's incompetence was going to further jeopardize me since the CEO obviously didn't check with IT first before sending this letter!

    "In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:"

    Well, DUH!

    #1 says "Never share information with information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number."

    This one is so bad I don't even know where to begin. By definition, a phone call, email or text is always "sharing information". If someone calls me from a phone number I recognize, I recognize their voice, and asks me what I'm doing later that day I should ask for a call-back number?!

    If someone random calls me, says they're from Target, and asks for my credit card information does that mean I should ask them for a call-back number? Seriously? So if the phisher gives me the number they're calling from I should call them back and give them my information?!

    #2 says "Delete texts immediately from numbers or names you don't recognize"

    Seriously, what difference does it make if you delete it or not? None. Worthless "advice".

    #3 says "Be wary of emails that ask for money or send you to suspicious websites. Don't click links within emails you don't recognize."

    That's almost good advice. Better if he had said: NEVER put any information into a site you got to by clicking on an email. Not even usernames or passwords. Because the site might not look "suspicious" at all - it could be a phishing site with a spoofed URL. If you get some notice that looks like it is from your bank for example, you should open a web browser window and type their web address in the bar yourself.

    All in all, this letter sends me a clear message - that the "leadership" at Target did not learn their lesson from this data breach at all. The CEO clearly does not seek input from his IT department and this company is going to continue to make bad decisions until the leadership changes or is fired by the shareholders. He says he is truly sorry, but he is only sorry because of the public relations consequences. He seems to lack understanding of what he did wrong - and that is not valuing the advice of his IT department, developers, or other people who know about network security. Because, once again, his letter makes that apparent to me - that he did not have it vetted by people he considers to be his underlings. If I ever do shop at Target again, I will be sure to use CASH ONLY.
    • Advice should have come from legal and outside security experts, not IT

      Advice should have come from legal and outside security experts, not IT alone. This type of attack or intrusion will never be prevented or solved by the retailers alone, government and law enforcement must be part of the solution and prevention process. Target is not the only retailer involved in this breach, other were breached months before Target, it just was not public knowledge. This breach is just the tip of the iceberg right now; in the future it will be more difficult to detect and remove malware and malicious software.
  • It's not Target's fault

    It's nice that they are doing this credit monitoring thing for customers. I hear people talking about this and blaming Target. But the blame needs to fall squarely on the shoulders of the people who steal the information, the people who buy it from them and then use it. They are the one's that need to pay. I really don't think we need to keep people like that around anymore.
    • They have to

      They have to by law.
      They have to provide a year of free credit check.
      Kinda lame being that you get three free credit checks at any time anyways.
      Once a year each by Trans Union, Equifax, Experian.
  • Bummer of a name?

    I wonder if the company name 'Target' explains why the hackers chose Target as a target?
  • ntelCrawler: "17-years-old teenager is the author of BlackPOS/Kaptoxa"

    Here is the link to details
  • Nah

    DHS has a long history of sucking when it comes to cybersecurity matters (I personally think it should dissolved and things put back to their pre-DHS days) and reports by DC-connected contractors like iSight Partners generally turn out to laughably off-base, and a quick look indicates that this is likely the situation here. POS malware had undergone much advancement and development since 2011 and there were numerous reports of a surge in POS malware during the second half of last year even before the Target breach became public. Here's an interesting read of how one POS hack was deconstructed back in 2012: