Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:03 PM
Connect Directly

Target, Neiman Marcus Data Breaches Tip Of The Iceberg

'Smash-and-grab' attacks targeted point-of-sale systems -- and, in some cases, spread to databases

The other shoe is dropping: Neiman Marcus now has followed Target's disclosure of a data breach, and security experts say other retailers also have been hit in a holiday hack that pilfered tens of millions or more customer payment cards and personal information in an attack that spanned point-of-sale (POS) systems and databases.

Target, which over the past few weeks has dribbled out additional information on the breach it first announced in late December that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, late last week revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims. Target's CEO told CNBC, meanwhile, that malware was found on its POS registers, and Neiman Marcus has confirmed a breach of customer payment cards.

While plenty of details about the breaches and how, if at all, they are connected are still unknown, a picture is gradually coming into focus of just what went down during the busy holiday shopping season. Security experts say an organized cybercrime gang likely out of Eastern Europe remotely infected POS systems at Target, Neiman Marcus, and other retailers as a way to rapidly siphon a large volume of credit card and debit card accounts to resell in the cybercrime underground.

But at least in the case of Target -- and likely others -- the attackers didn't stop there. They moved from the infected POS systems to a database, security experts say. Adrian Lane, CTO for Securosis, says Target's revelation that the attackers had accessed 70 million customers' names, addresses, phone numbers, and emails points to a possible database breach.

"If the attackers have name, address, phone, email, and other personal information, and they have millions of these records, there are only one or two places a hacker can acquire that data -- a backup tape or a database. You simply can't harvest that many records listening on the wire unless you breached them years ago," Lane says. "Target is known for data mining and analytics, so it's not too much of an inductive leap to say it was a database breach."

Curt Wilson, senior analyst with Arbor Networks' ASERT, who has studied POS malware, says he and his team are trying to confirm whether the retailer breaches used the Dexter and Project Hook POS malware families he and his team recently studied, or other known POS malware. The two malware families target Windows-based POS systems, often via weak credentials in the POS system. "There are lots of Windows vulnerabilities and Security 101 threats in place there, so it's an open door for attackers," Wilson says. "POS has been a lucrative target ... for some time."

[Attackers employ custom malware rather than physical skimmers to steal payment card information from POS systems in 40 countries. See 'Dexter' Directly Attacks Point-of-Sale Systems.]

Another possible hole: The victimized retailers may have employed weak administrative passwords, a common enterprise mistake. "They probably aren't using the default password, but I would be willing to bet that the admin accounts are Admin or Root, and the passwords were very weak," says Vinny Troia, a security consultant with Night Lion Security. "I really doubt every POS terminal was infected; that would take a tremendous amount of work. It's far more likely that the central processing server was infected, as that would be the machine [that] would potentially have access to -- and out of -- the corporate network."

POS systems often have Internet and email access, leaving them open to attack from the outside. "Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system," the US-CERT Website said in a January 2 advisory warning of an increase in POS attacks.

Visa issued a similar warning back in April 2013, but focused on a surge in attacks on grocery retail chains that began in January 2013 and installed malware on POS systems and their back-end servers. "The malware is configured to 'hook' into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM)," Visa wrote in its alert. "The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it."

Avivah Litan, vice president and distinguished analyst for Gartner, says she was told by at least two people with knowledge of the breaches that the POS malware that hit Target was tested at a few other retailers before infecting Target. "They had developed very specific point-of-sale malware ... I was told it was the exact same piece of malware, and since November we've been told big retailer breaches were going on," Litan says.

Another clue that something was awry: BitSight says it saw a jump in malicious activity on Target's and Neiman Marcus' networks in November and December 2013. Retail networks, in general, saw more malicious activity in the second half of the year, according to the firm, whose network of sensors gathers botnet, spam, malware, and other security risk communication and maps it to specific organizations' networks.

"Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worse performers in the retail sector," said Sonali Shah, vice president of product at BitSight, in a blog post. "SecurityRatings for other companies in this industry are lower, leaving us wondering which retailer will be hit next."

Arbor's Wilson says he expects more POS attacks to emerge. "There's a lot more of this going on ... a lot of [victims] don't know it yet or have yet to publicize the fact" they've been breached, Wilson says. "I think we're going to see more POS malware attacks."

Daniel Ingevaldson CTO of Easy Solutions, says his firm in early December saw a massive flow of newly stolen credit card accounts, and then an even bigger dump of stolen cards -- 2 million -- on Jan. 4. "We initially assumed it was the last gasp from the Target breach, but the overall structure of that base [dump] was a little different: We saw a disproportionate amount of AmEx Black cards and AmEx Centurion cards. Centurion cards are only for people with $15 million in assets and annual income of over $1 million," Ingevaldson notes. "It's unusual to see those," and it could be linked to Neiman Marcus' breach, he says.

He says the Target breach was akin to a smash-and-grab job to get as much as possible as quickly as possible and then to resell the stolen booty right away. The remote infection of POS systems is more lucrative than attaching a skimmer on a PIN pad or at a gas station, he says.

"Another side of this is that we didn't see 40 million cards hit the [underground] market. So we don't have a full accounting of all of those cards," he says. "The guys who perform this work know exactly what they're doing, and they know how to keep prices high."

Adam Meyers, vice president of intelligence at CrowdStrike, says while there have been multiple variations of this malware, they were used only in "limited environments" as far as it was known. These latest breaches are similar in nature to a targeted attack, he says.

"Based on my experience, I would say we are looking at several other breach announcements in the future since there appears to be a cybercriminal group that has taken a page from the targeted attacker play book and is able to move laterally and deploy malware to collect track data from the point of sales devices," Myers says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/17/2014 | 5:37:05 PM
re: Target, Neiman Marcus Data Breaches Tip Of The Iceberg
It seems pretty clear that these breaches are no longer outliers. This is the state of the industry. And it's distressing to see the same mistakes being made all over again with POS (insecure code, weak passwords, etc). Didn't we learn anything from these low-hanging PC and server vulnerabilities?
User Rank: Apprentice
1/15/2014 | 10:45:17 PM
re: Target, Neiman Marcus Data Breaches Tip Of The Iceberg
The fact that these POS have exploits and Malware mean that some is taking the time to study and find ways to attack and gather data. The easiest was is to have some in side the second is to have the same tools to copy and spoof your way in.
I think i have an ideal what they are doing and how. And if i am right there more POS system at risk.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.