Target Breach: 5 Unanswered Security Questions

Investigators have yet to explain how Target was hacked, whether BlackPOS malware infected its payment servers, and whether the same gang also struck other retailers.

Mathew J. Schwartz, Contributor

January 22, 2014

7 Min Read

Top 10 Retail CIO Priorities For 2014

Top 10 Retail CIO Priorities For 2014width=

Top 10 Retail CIO Priorities For 2014 (Click image for larger view and slideshow.)

How did hackers break into systems at Target?

Officials at the nation's second-largest discount retailer have admitted that attackers stole credit and debit card details for 40 million customers and personal information pertaining to 110 million customers.

According to investigators, attackers obtained the point-of-sale (POS) data using the BlackPOS memory-scraping malware, which is also known as Kaptoxa, or "potato" in Russian. The same malware was reportedly also used against Neiman Marcus and up to six additional as-yet-unnamed retailers.

But a number of key questions surrounding the attacks against Target and other retailers remain unanswered.

1. Did malware infect Target's payment systems?
Target has yet to confirm how the BlackPOS malware was used, leaving open the question of whether Internet-connected POS terminals were compromised. Many security experts don't believe that was the case.

"We are still left to infer that the method of attack was to compromise manager credentials... and that the target was enterprise payment processing servers -- not 'point-of-sale,' not store controllers -- running Windows," information assurance expert William Hugh Murray, an associate professor at the Naval Postgraduate School, said in a recent SANS Institute newsletter. "The most interesting thing about the malware is that it exploited system code, not application-specific code, to access application traffic."

[Will SnapChat suffer more long-term damage from its data breach than Target? Read A Tale Of Two Cyberheists.]

In other words, based on what's known about the attacks, attackers likely gained access to the targeted system by guessing or using stolen access credentials. Furthermore, the malware likely didn't infect any POS terminals or applications running therein, but rather the Windows-based payment system that was used to manage all of those POS terminals.

According to a VirusTotal analysis of BlackPOS samples (and a condensed report), only 30 out of 48 antivirus engines are detecting the malware.

Malware such as BlackPOS is tailor-made to intercept credit card data -- which is otherwise encrypted -- after it's been decrypted, to be checked. "To access the decrypted transaction data, malware is deployed onto the system that carries out external verification. This malware monitors the currently running processes, looking for one of a known list of processes that carry out the transaction verification," read an EPOS Data Theft threat advisory released Tuesday by McAfee, referring to electronic point-of-sales (EPOS) systems. "When the malware detects data about a financial transaction, it copies or 'scrapes' the decrypted data from the processes memory and writes it to a local file." That list of intercepted credit and debit card credentials is then sent to a remote server so attackers can access the data and then either resell it or use it themselves.

2. Who attacked Target?
A 23-year-old Russian man, Rinat Shabayev, this week confirmed that he helped author the BlackPOS malware. But in an interview with Russian media outlet LifeNews that was broadcast Tuesday, he claimed to be innocent of selling Kaptoxa for malicious purposes, saying that it had been developed as a penetration testing tool rather than for the cybercrime market.

"If you use this software with malicious intent, you can earn well, but it is illegal," Shabayev told LifeNews.

Shabayev's identity squares with information published earlier this week by cyber-intelligence firm IntelCrawler. While the firm Friday named a 17-year-old Russian who used the alias "ree[4]" (a.k.a. "ree4") as a suspect in developing the malware, it revised that assessment earlier this week after questions surfaced over the company's findings. Instead, the firm named Shabayev as the malware's principal developer, saying that he too had used the ree4 handle. After updating its report earlier this week, however, Intelcrawler later excised the names of the two people it suspected of having been the principle developers behind Kaptoxa.

3. Why didn't Neiman Marcus come clean sooner?
One of the biggest unanswered questions surrounding the campaign against retailers concerns the identity of the other businesses -- supposedly, there may be six more in addition to Neiman Marcus -- that were also recently compromised. On the other hand, the retailers may have yet to fully ascertain the extent of the breach and are putting working defenses in place.

Neiman Marcus -- which has yet to disclose how many credit and debit card numbers it lost -- has been criticized for not coming clean about the breach more quickly. The firm didn't confirm that it had been breached until Jan. 10, the same day that security journalist Brian Krebs publicized that payment providers had traced fraudulent purchases to cards used at the luxury retailer.

Likewise, Target didn't reveal its information security breach, which happened from Nov. 27 to Dec. 15, until Krebs reported on Dec. 18 that investigators were looking into a potential breach at the retailer. Unlike Target, however, which publicized the breach and endured a downturn in holiday shopping volumes, Neiman Marcus didn't disclose its 2013 breach -- which began in mid-July and lasted until December -- until after the busy shopping period.

While 46 states have mandatory data breach notification laws, the timeline for reporting a breach varies.

Neiman Marcus officials, however, have defended themselves against claims that they delayed issuing a breach notification to affected customers, saying that they reacted as rapidly as possible. "We quickly began our investigation and hired a forensic investigator," read a statement released by the retailer. "Our forensic investigator discovered evidence on Jan. 1st that a criminal cybersecurity intrusion had occurred. The forensic and criminal investigations continue."

By not disclosing the breach, furthermore, Neiman Marcus bought itself time to harden its systems to better defend against repeat attacks. An official at the retailer, on a call last week with credit card companies, said that the Neiman Marcus breach wasn't fully contained until Jan. 12, the New York Times reported.

4. Did the same gang hack Target and Neiman Marcus?
Are the Target and Neiman Marcus attacks related? While the same type of malware was reportedly used in both attacks, investigators have yet to comment about whether the same gang took down both retailers. Last week, meanwhile, Neiman Marcus said that it had "no knowledge of any connection" between Target's breach and its own.

5. Did Target's attackers also hit Easton-Bell Sports?
The latest business to disclose that it too was hacked and had payment data stolen in December 2013 was Easton-Bell Sports, a California-based sports equipment and clothing manufacturer. The company, which makes Bell helmets and Giro cycling gear, said that information on 6,000 customers who shopped on its website was stolen. The breach reportedly lasted from Dec. 1 to Dec. 31, and stolen information may have included names, addresses, telephone numbers, email addresses, credit card numbers, and card security codes, the company said in a statement.

An Easton-Bell Sports spokesman didn't immediately respond to an emailed request for comment about whether memory-scraping malware was used, or if the data breach appeared to involve the same gang or gangs that successfully attacked Target and Neiman Marcus.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights