Endpoint

1/2/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Forever 21 Found Malware and Encryption Disabled on its PoS Devices

The retailer found signs of unauthorized access and malware installed on point-of-sale devices during an investigation into last year's data breach.

Forever 21's investigation into a data breach first reported in November 2017 has revealed malware planted on the retailer's point-of-sale systems (PoS) as well as encryption disabled on some of the devices.

The retailer, which had been using encryption on its payment system since 2015, received a report in mid-October indicating unauthorized access to payment card data at certain stores.

Following an investigation with payment technology and security firms, Forever 21 said in an update posted late last week that encryption technology on some point-of-sale (PoS) devices was not always on, and that it had found signs of unauthorized network access and malware installed on PoS devices to search for payment card data.

The malware searched for track data from payment cards as they were processed through the PoS system. In most cases this data was limited to card number, expiration date, and internal verification code. Occasionally, the cardholder name was also found.

Encryption had been disabled and malware installed on some devices at varying times in US stores from April 3, 2017 through November 18, 2017. Some locations only experienced a breach for a few days or weeks; others were hit for most or all of the timeframe. In most cases, only one or a few of PoS devices were affected at each outlet.

Forever 21 stores also each have a device to keep track of completed payment card transaction authorizations. Payment card data was stored in these devices while encryption was off. Investigators found malware installed on log devices in certain stores. At these locations, if encryption was disabled on a PoS device prior to April 3, 2017 and data was still recorded on the log file, the malware could have discovered the unencrypted data.

The company reports it's working with payment processors, its PoS device provider, and third-party experts to address encryption on PoS devices at all of its retail outlets. It's also investigating whether this incident affected stores outside the US, which use different payment systems. Payment cards used on Forever21.com were not affected.

Retail is a hot target for cybercriminals who know they can make decent money swiping credit card numbers and selling them on the Dark Web. Bigger targets with millions of customers are the hardest hit, says Mark Cline, vice president at Netsurion. Indeed, Whole Foods and Nissan Canada are two more examples of massive retailers with large customer bases and recently reported security breaches.

"If retail businesses haven't hardened their IT and POS security, they should start now to protect themselves from PoS malware, ransomware, and other threats," he says. They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection."

Forever 21 urges customers to review card statements for unauthorized activity and report unauthorized activity to their card issuer.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
shyguygav
50%
50%
shyguygav,
User Rank: Apprentice
1/3/2018 | 10:22:02 AM
PoS exploited
Eerily similar to the target breach of 2013
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 12:28:02 PM
Re: PoS exploited
Not similiar.  Target POS systems were secure and the servers were secure BUT for a few seconds, data in transit from POS to SERVER ws not encrypted at all.  The theft involved just sitting in their cars and collecting the unsecure data transit.  
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.