Attacks/Breaches
1/21/2014
12:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Target, Neiman Marcus Malware Creators Identified

Eastern European team developed memory-scraping Kaptoxa (BlackPOS) malware, sold it at least 40 times, says cyber-intelligence firm.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

A team of at least two developers created the point-of-sale malware used to hack Target, Neiman Marcus, and likely other retailers in the United States, Australia, and Canada.

So said information security intelligence firm IntelCrawler Friday in a report that named a 17-year-old Russian teenager, who used the online handle "ree[4]" (a.k.a. ree4), suspected of being the author of the BlackPOS -- for point-of-sale -- malware. The malware is also known as Kaptoxa, or "potato" in Russian.

But security journalist Brian Krebs, who broke the news of the Target breach in December, questioned IntelCrawler's findings. Subsequently, the intelligence firm updated its research, naming instead a second teenage suspect, who it said shared the ree4 handle with the first suspect. "Intelcrawler apparently just changed its mind about the guy responsible for the Target POS malware," Krebs tweeted Monday. "Now they have the right guy."

The revised research report said that the first suspect was one of several individuals who provided technical support for the newly named suspect -- again, ree4 -- who is a "very well known programmer of malicious code" who appears to be based in St. Petersburg, Russia, while the gang at large appears to be based either in Russia or also former Soviet satellites.

[Sure, malware exists, but is it as bad as the news suggests? See Malware: More Hype Than Reality.]

The Kaptoxa malware was also sold under the name "Dump Memory Grabber," and reportedly found a number of buyers. "Ree4 has sold more than 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as '.rescator,' 'Track2.name,' 'Privateservices.biz,' and many others," according to the IntelCrawler report. The firm said that the developers also appear to have sold the source code to several buyers, and modified builds of the code for others.

The malware was advertised on hacking forums as being able to scrape POS device RAM to intercept credit card data, and then dump -- transmit -- that data in batches via FTP to an external server. "This trojan is written on pure C++ without any additional libraries, is used for dumps grabber [and] credit cards from RAM memory of all running processes," according to a translation of a Russian-language advertisement, published by IntelCrawler. "It works on all Windows systems, including x64. It uses mmon.exe for RAM scanning, very silent on the computer, there is a timeout for autorun (we can change it). It can also repeat sending dumps. The log is sent to the gate through FTP, each new log has the date, like 1.09.56-16.02.2013.txt, we can also modify it on email. All questions to ree4@exploit.im."

Those details square with what's known about the Target breach, including attackers' using memory-scraping malware and exfiltrating stolen data via FTP to a server in Russia.

Image credit: Robert Scoble.
Image credit: Robert Scoble.

Target warned customers in mid-December that 40 million debit and credit cards had been stolen. Later, it said that attackers had also obtained personal information on 70 million customers. That suggests that the gang behind the Target attack employed more than just POS malware.

People with knowledge of the investigations at Target and Neiman Marcus, speaking on background, have said that the breaches are related, and suggested that at least three more retail firms were likewise compromised. While the Target breach began in late November 2013, recent reports have also suggested that Neiman Marcus was hacked in July 2013, and the breach not fully contained until Jan. 12, 2014.

How much might attackers have spent to successfully hack into POS systems at Target or any other retailer? IntelCrawler said the Kaptoxa malware was being sold for $2,000, or else a 50% cut of all profits made from intercepted credit and debit card data, to be deposited to the developer's Liberty Reserve account.

But the real culprits are arguably the gang or gangs that have been actively employing the POS malware, rather than whoever built the malware. "The real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers," said Dan Clements, president of IntelCrawler, via the company's research report.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stevemartin
50%
50%
Stevemartin,
User Rank: Apprentice
5/28/2014 | 7:22:44 AM
Re: Did this malware target some particular POS platform?
Here it is good information provided here about malwares. Didn't know about the facts. Appreciable post.

http://www.vpnmag.co.uk/
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/23/2014 | 5:11:25 AM
Re: Did this malware target some particular POS platform?
That would be a strong "no." Historically, at least, Russian authorities have looked the other way, so long as hackers inside the border don't attack other Russians. The lack of an extradition treaty with the US probably seals the (no) deal. 

Yet one more good reason for the IT department to be watching network traffic for any connections to Russian-based FTP servers. Especially from their payment processing system. 
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
1/22/2014 | 9:09:17 AM
Re: Did this malware target some particular POS platform?
BlackPoS's malware developer ree4 has been identified as Shabayev, aged 23 from Russia. He has already admitted having been the mastermind behind the malware's development last year.. http://www.bestvpnservice.com/blog/malware-and-its-russian-coder-behind-target-data-breach-identified
rradina
50%
50%
rradina,
User Rank: Apprentice
1/22/2014 | 8:31:18 AM
Re: Did this malware target some particular POS platform?
Many POSs and ATMs use Windows and that's all the similarity this kind of malware needs.  When a card is swiped by a pin pad, the data is sent to the POS system.  Pin Pads are just like any other peripheral in that they need a physical interface through which they speak to the POS.  It could be USB, serial port, Ethernet or wireless.  If the data is not encrypted before it's sent to the POS, the clear text information can be found in the OS interface buffer or the peripheral device driver buffer.  If it's encrypted, the POS software will eventually decrypt it to create an authorization packet and forward it to the payment processor.  The POS may encrypt the packet again but by that time it's too late.  At first it might seem incredible to hijack temporary data that might be actively referenced by the POS software for less than a second.  However, the techniques used to allocate RAM have similarities to file systems on fixed disks.  Most folks know that a deleted file doesn't mean the data it contained is truly gone.  Memory use by applications can be similar.  Programs are constantly allocating temporary buffers (i.e. a sequence of characters to hold credit card data) and then releasing them.  Temporary buffers are just like file data -- it doesn't cease to exist just because it has been "released" (like a file being deleted).  It might hang around in memory for a long time before that memory is needed again.  An application can be written to make it tougher for RAM-scraping malware to work by clearing the buffer before releasing it but if the data was decrypted, this technique must be thorough.  That means any code that comes into contact with the decrypted data has to overwrite sensitive data contained in buffers before releasing them.  Application developers generally don't recreate existing wheels.  Decryption of data is likely going to be done outside of the POS application by using some kind of library -- possibly one provided by the OS or a third party.  This means careful handling of buffers would need to extend into the decryption/encryption routines.

If memory scraping malware cannot be eliminated or foiled, the only choice is to remove the POS from the authorization equation and do it in the pin pad.  Modern pin pads are tiny computers.  They could complete the authorization transaction on their own and only provide the POS with truncated data.  POS-based memory scraping malware would disappear since it would no longer have access to valuable information.  Most POS systems allow the cashier to enter the credit card when the mag-stripe is damaged but this would represent a far smaller cache of data and may not be a large enough target for thieves.

Of course criminals adapt and if the POS no longer contains valuable information, they'll move their assault to the pin pad.  Some pin pads are designed to self-destruct if they are opened.  Obviously the inventive criminal might be able to drill a hole in the case like crooks did with a recent ATM attack.  However, physical access to thousands of devices now becomes a formidable barrier and I suspect there could be additional tamper prevention techniques employed to thwart holes being drilled (i.e. A plastic bag embedded with a fine coated-wire conductive loop mesh that surrounds the pin pad circuit board.  The loop could be connected to the pin pad and like the classic window security foil, if the conductive loop is broken, the device self-destructs.  They could also dip the entire circuit board in something that dries rock hard, is opaque and impervious to solvents.  Attempts to access the circuit board destroys it.)
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
1/21/2014 | 8:51:06 PM
Can it Happen Again?
The real worry is that other retailers, using the same POS terminals will be attacked next.

Isn't it time to look for a solution, before this happens?

For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.
 I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 4:39:10 PM
Re: Did this malware target some particular POS platform?
I'm more interested in finding out whether retailers in the U.S. will be more proactive about moving to a smart-card system, which is much harder to hack, than our current magnet stripe cards. The WSJ reported yesterday that Target 10 years ago halted the rollout of a chip-based payment system because execs in store operations and merchandising "worried that the technology slowed checkout speeds and didn't offer enough marketing benefits." 

Hindsight is always 20-20, isn't it?

 

Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/21/2014 | 4:09:47 PM
Re: Did this malware target some particular POS platform?
Are Russian authorities likely to do anything about this guy?
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/21/2014 | 12:41:12 PM
Did this malware target some particular POS platform?
Do we know whether this malware was targeted at a specific POS platform? Or are POS systems so similar, regardless of who makes them, that the software was able to target a range of environments?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Listen Now How to Hack a Human
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.