Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:03 PM
Connect Directly

Target, Neiman Marcus Data Breaches Tip Of The Iceberg

'Smash-and-grab' attacks targeted point-of-sale systems -- and, in some cases, spread to databases

The other shoe is dropping: Neiman Marcus now has followed Target's disclosure of a data breach, and security experts say other retailers also have been hit in a holiday hack that pilfered tens of millions or more customer payment cards and personal information in an attack that spanned point-of-sale (POS) systems and databases.

Target, which over the past few weeks has dribbled out additional information on the breach it first announced in late December that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, late last week revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims. Target's CEO told CNBC, meanwhile, that malware was found on its POS registers, and Neiman Marcus has confirmed a breach of customer payment cards.

While plenty of details about the breaches and how, if at all, they are connected are still unknown, a picture is gradually coming into focus of just what went down during the busy holiday shopping season. Security experts say an organized cybercrime gang likely out of Eastern Europe remotely infected POS systems at Target, Neiman Marcus, and other retailers as a way to rapidly siphon a large volume of credit card and debit card accounts to resell in the cybercrime underground.

But at least in the case of Target -- and likely others -- the attackers didn't stop there. They moved from the infected POS systems to a database, security experts say. Adrian Lane, CTO for Securosis, says Target's revelation that the attackers had accessed 70 million customers' names, addresses, phone numbers, and emails points to a possible database breach.

"If the attackers have name, address, phone, email, and other personal information, and they have millions of these records, there are only one or two places a hacker can acquire that data -- a backup tape or a database. You simply can't harvest that many records listening on the wire unless you breached them years ago," Lane says. "Target is known for data mining and analytics, so it's not too much of an inductive leap to say it was a database breach."

Curt Wilson, senior analyst with Arbor Networks' ASERT, who has studied POS malware, says he and his team are trying to confirm whether the retailer breaches used the Dexter and Project Hook POS malware families he and his team recently studied, or other known POS malware. The two malware families target Windows-based POS systems, often via weak credentials in the POS system. "There are lots of Windows vulnerabilities and Security 101 threats in place there, so it's an open door for attackers," Wilson says. "POS has been a lucrative target ... for some time."

[Attackers employ custom malware rather than physical skimmers to steal payment card information from POS systems in 40 countries. See 'Dexter' Directly Attacks Point-of-Sale Systems.]

Another possible hole: The victimized retailers may have employed weak administrative passwords, a common enterprise mistake. "They probably aren't using the default password, but I would be willing to bet that the admin accounts are Admin or Root, and the passwords were very weak," says Vinny Troia, a security consultant with Night Lion Security. "I really doubt every POS terminal was infected; that would take a tremendous amount of work. It's far more likely that the central processing server was infected, as that would be the machine [that] would potentially have access to -- and out of -- the corporate network."

POS systems often have Internet and email access, leaving them open to attack from the outside. "Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system," the US-CERT Website said in a January 2 advisory warning of an increase in POS attacks.

Visa issued a similar warning back in April 2013, but focused on a surge in attacks on grocery retail chains that began in January 2013 and installed malware on POS systems and their back-end servers. "The malware is configured to 'hook' into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM)," Visa wrote in its alert. "The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it."

Avivah Litan, vice president and distinguished analyst for Gartner, says she was told by at least two people with knowledge of the breaches that the POS malware that hit Target was tested at a few other retailers before infecting Target. "They had developed very specific point-of-sale malware ... I was told it was the exact same piece of malware, and since November we've been told big retailer breaches were going on," Litan says.

Another clue that something was awry: BitSight says it saw a jump in malicious activity on Target's and Neiman Marcus' networks in November and December 2013. Retail networks, in general, saw more malicious activity in the second half of the year, according to the firm, whose network of sensors gathers botnet, spam, malware, and other security risk communication and maps it to specific organizations' networks.

"Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worse performers in the retail sector," said Sonali Shah, vice president of product at BitSight, in a blog post. "SecurityRatings for other companies in this industry are lower, leaving us wondering which retailer will be hit next."

Arbor's Wilson says he expects more POS attacks to emerge. "There's a lot more of this going on ... a lot of [victims] don't know it yet or have yet to publicize the fact" they've been breached, Wilson says. "I think we're going to see more POS malware attacks."

Daniel Ingevaldson CTO of Easy Solutions, says his firm in early December saw a massive flow of newly stolen credit card accounts, and then an even bigger dump of stolen cards -- 2 million -- on Jan. 4. "We initially assumed it was the last gasp from the Target breach, but the overall structure of that base [dump] was a little different: We saw a disproportionate amount of AmEx Black cards and AmEx Centurion cards. Centurion cards are only for people with $15 million in assets and annual income of over $1 million," Ingevaldson notes. "It's unusual to see those," and it could be linked to Neiman Marcus' breach, he says.

He says the Target breach was akin to a smash-and-grab job to get as much as possible as quickly as possible and then to resell the stolen booty right away. The remote infection of POS systems is more lucrative than attaching a skimmer on a PIN pad or at a gas station, he says.

"Another side of this is that we didn't see 40 million cards hit the [underground] market. So we don't have a full accounting of all of those cards," he says. "The guys who perform this work know exactly what they're doing, and they know how to keep prices high."

Adam Meyers, vice president of intelligence at CrowdStrike, says while there have been multiple variations of this malware, they were used only in "limited environments" as far as it was known. These latest breaches are similar in nature to a targeted attack, he says.

"Based on my experience, I would say we are looking at several other breach announcements in the future since there appears to be a cybercriminal group that has taken a page from the targeted attacker play book and is able to move laterally and deploy malware to collect track data from the point of sales devices," Myers says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/17/2014 | 5:37:05 PM
re: Target, Neiman Marcus Data Breaches Tip Of The Iceberg
It seems pretty clear that these breaches are no longer outliers. This is the state of the industry. And it's distressing to see the same mistakes being made all over again with POS (insecure code, weak passwords, etc). Didn't we learn anything from these low-hanging PC and server vulnerabilities?
User Rank: Apprentice
1/15/2014 | 10:45:17 PM
re: Target, Neiman Marcus Data Breaches Tip Of The Iceberg
The fact that these POS have exploits and Malware mean that some is taking the time to study and find ways to attack and gather data. The easiest was is to have some in side the second is to have the same tools to copy and spoof your way in.
I think i have an ideal what they are doing and how. And if i am right there more POS system at risk.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...