The other shoe is dropping: Neiman Marcus now has followed Target's disclosure of a data breach, and security experts say other retailers also have been hit in a holiday hack that pilfered tens of millions or more customer payment cards and personal information in an attack that spanned point-of-sale (POS) systems and databases.
Target, which over the past few weeks has dribbled out additional information on the breach it first announced in late December that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, late last week revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims. Target's CEO told CNBC, meanwhile, that malware was found on its POS registers, and Neiman Marcus has confirmed a breach of customer payment cards.
While plenty of details about the breaches and how, if at all, they are connected are still unknown, a picture is gradually coming into focus of just what went down during the busy holiday shopping season. Security experts say an organized cybercrime gang likely out of Eastern Europe remotely infected POS systems at Target, Neiman Marcus, and other retailers as a way to rapidly siphon a large volume of credit card and debit card accounts to resell in the cybercrime underground.
But at least in the case of Target -- and likely others -- the attackers didn't stop there. They moved from the infected POS systems to a database, security experts say. Adrian Lane, CTO for Securosis, says Target's revelation that the attackers had accessed 70 million customers' names, addresses, phone numbers, and emails points to a possible database breach.
"If the attackers have name, address, phone, email, and other personal information, and they have millions of these records, there are only one or two places a hacker can acquire that data -- a backup tape or a database. You simply can't harvest that many records listening on the wire unless you breached them years ago," Lane says. "Target is known for data mining and analytics, so it's not too much of an inductive leap to say it was a database breach."
Curt Wilson, senior analyst with Arbor Networks' ASERT, who has studied POS malware, says he and his team are trying to confirm whether the retailer breaches used the Dexter and Project Hook POS malware families he and his team recently studied, or other known POS malware. The two malware families target Windows-based POS systems, often via weak credentials in the POS system. "There are lots of Windows vulnerabilities and Security 101 threats in place there, so it's an open door for attackers," Wilson says. "POS has been a lucrative target ... for some time."
[Attackers employ custom malware rather than physical skimmers to steal payment card information from POS systems in 40 countries. See 'Dexter' Directly Attacks Point-of-Sale Systems.]
Another possible hole: The victimized retailers may have employed weak administrative passwords, a common enterprise mistake. "They probably aren't using the default password, but I would be willing to bet that the admin accounts are Admin or Root, and the passwords were very weak," says Vinny Troia, a security consultant with Night Lion Security. "I really doubt every POS terminal was infected; that would take a tremendous amount of work. It's far more likely that the central processing server was infected, as that would be the machine [that] would potentially have access to -- and out of -- the corporate network."
POS systems often have Internet and email access, leaving them open to attack from the outside. "Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system," the US-CERT Website said in a January 2 advisory warning of an increase in POS attacks.
Visa issued a similar warning back in April 2013, but focused on a surge in attacks on grocery retail chains that began in January 2013 and installed malware on POS systems and their back-end servers. "The malware is configured to 'hook' into certain payment application binaries. These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM)," Visa wrote in its alert. "The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it."
Avivah Litan, vice president and distinguished analyst for Gartner, says she was told by at least two people with knowledge of the breaches that the POS malware that hit Target was tested at a few other retailers before infecting Target. "They had developed very specific point-of-sale malware ... I was told it was the exact same piece of malware, and since November we've been told big retailer breaches were going on," Litan says.
Another clue that something was awry: BitSight says it saw a jump in malicious activity on Target's and Neiman Marcus' networks in November and December 2013. Retail networks, in general, saw more malicious activity in the second half of the year, according to the firm, whose network of sensors gathers botnet, spam, malware, and other security risk communication and maps it to specific organizations' networks.
"Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worse performers in the retail sector," said Sonali Shah, vice president of product at BitSight, in a blog post. "SecurityRatings for other companies in this industry are lower, leaving us wondering which retailer will be hit next."
Arbor's Wilson says he expects more POS attacks to emerge. "There's a lot more of this going on ... a lot of [victims] don't know it yet or have yet to publicize the fact" they've been breached, Wilson says. "I think we're going to see more POS malware attacks."
Daniel Ingevaldson CTO of Easy Solutions, says his firm in early December saw a massive flow of newly stolen credit card accounts, and then an even bigger dump of stolen cards -- 2 million -- on Jan. 4. "We initially assumed it was the last gasp from the Target breach, but the overall structure of that base [dump] was a little different: We saw a disproportionate amount of AmEx Black cards and AmEx Centurion cards. Centurion cards are only for people with $15 million in assets and annual income of over $1 million," Ingevaldson notes. "It's unusual to see those," and it could be linked to Neiman Marcus' breach, he says.
He says the Target breach was akin to a smash-and-grab job to get as much as possible as quickly as possible and then to resell the stolen booty right away. The remote infection of POS systems is more lucrative than attaching a skimmer on a PIN pad or at a gas station, he says.
"Another side of this is that we didn't see 40 million cards hit the [underground] market. So we don't have a full accounting of all of those cards," he says. "The guys who perform this work know exactly what they're doing, and they know how to keep prices high."
Adam Meyers, vice president of intelligence at CrowdStrike, says while there have been multiple variations of this malware, they were used only in "limited environments" as far as it was known. These latest breaches are similar in nature to a targeted attack, he says.
"Based on my experience, I would say we are looking at several other breach announcements in the future since there appears to be a cybercriminal group that has taken a page from the targeted attacker play book and is able to move laterally and deploy malware to collect track data from the point of sales devices," Myers says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio