Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Target, Neiman Marcus Malware Creators Identified
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/28/2014 | 7:22:44 AM
Re: Did this malware target some particular POS platform?
Here it is good information provided here about malwares. Didn't know about the facts. Appreciable post.

User Rank: Apprentice
1/23/2014 | 5:11:25 AM
Re: Did this malware target some particular POS platform?
That would be a strong "no." Historically, at least, Russian authorities have looked the other way, so long as hackers inside the border don't attack other Russians. The lack of an extradition treaty with the US probably seals the (no) deal. 

Yet one more good reason for the IT department to be watching network traffic for any connections to Russian-based FTP servers. Especially from their payment processing system. 
User Rank: Apprentice
1/22/2014 | 9:09:17 AM
Re: Did this malware target some particular POS platform?
BlackPoS's malware developer ree4 has been identified as Shabayev, aged 23 from Russia. He has already admitted having been the mastermind behind the malware's development last year.. http://www.bestvpnservice.com/blog/malware-and-its-russian-coder-behind-target-data-breach-identified
User Rank: Apprentice
1/22/2014 | 8:31:18 AM
Re: Did this malware target some particular POS platform?
Many POSs and ATMs use Windows and that's all the similarity this kind of malware needs.  When a card is swiped by a pin pad, the data is sent to the POS system.  Pin Pads are just like any other peripheral in that they need a physical interface through which they speak to the POS.  It could be USB, serial port, Ethernet or wireless.  If the data is not encrypted before it's sent to the POS, the clear text information can be found in the OS interface buffer or the peripheral device driver buffer.  If it's encrypted, the POS software will eventually decrypt it to create an authorization packet and forward it to the payment processor.  The POS may encrypt the packet again but by that time it's too late.  At first it might seem incredible to hijack temporary data that might be actively referenced by the POS software for less than a second.  However, the techniques used to allocate RAM have similarities to file systems on fixed disks.  Most folks know that a deleted file doesn't mean the data it contained is truly gone.  Memory use by applications can be similar.  Programs are constantly allocating temporary buffers (i.e. a sequence of characters to hold credit card data) and then releasing them.  Temporary buffers are just like file data -- it doesn't cease to exist just because it has been "released" (like a file being deleted).  It might hang around in memory for a long time before that memory is needed again.  An application can be written to make it tougher for RAM-scraping malware to work by clearing the buffer before releasing it but if the data was decrypted, this technique must be thorough.  That means any code that comes into contact with the decrypted data has to overwrite sensitive data contained in buffers before releasing them.  Application developers generally don't recreate existing wheels.  Decryption of data is likely going to be done outside of the POS application by using some kind of library -- possibly one provided by the OS or a third party.  This means careful handling of buffers would need to extend into the decryption/encryption routines.

If memory scraping malware cannot be eliminated or foiled, the only choice is to remove the POS from the authorization equation and do it in the pin pad.  Modern pin pads are tiny computers.  They could complete the authorization transaction on their own and only provide the POS with truncated data.  POS-based memory scraping malware would disappear since it would no longer have access to valuable information.  Most POS systems allow the cashier to enter the credit card when the mag-stripe is damaged but this would represent a far smaller cache of data and may not be a large enough target for thieves.

Of course criminals adapt and if the POS no longer contains valuable information, they'll move their assault to the pin pad.  Some pin pads are designed to self-destruct if they are opened.  Obviously the inventive criminal might be able to drill a hole in the case like crooks did with a recent ATM attack.  However, physical access to thousands of devices now becomes a formidable barrier and I suspect there could be additional tamper prevention techniques employed to thwart holes being drilled (i.e. A plastic bag embedded with a fine coated-wire conductive loop mesh that surrounds the pin pad circuit board.  The loop could be connected to the pin pad and like the classic window security foil, if the conductive loop is broken, the device self-destructs.  They could also dip the entire circuit board in something that dries rock hard, is opaque and impervious to solvents.  Attempts to access the circuit board destroys it.)
User Rank: Moderator
1/21/2014 | 8:51:06 PM
Can it Happen Again?
The real worry is that other retailers, using the same POS terminals will be attacked next.

Isn't it time to look for a solution, before this happens?

For instance, why do you have to give your credit card details to the retailer, to pass to the credit card company? Obviously, so they can know who you are, and that it's really your card. Okay, then, why not use an authentication system based on your ID, instead? Then, the credit card need only contain your user ID, which they could check, and tie in with the card details, which they already know. That way, the retailer would have nothing worth stealing. Of course, the authentication system would need to be fraudproof, and I believe there's a description of such a system at www.designsim.com.au/What_is_SteelPlatez.ppsx.
 I guess the other benefit of doing something like this, is that the credit card companies wouldn't have the expense of changing to EMV cards, or resorting to something unpleasant, like biometrics.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/21/2014 | 4:39:10 PM
Re: Did this malware target some particular POS platform?
I'm more interested in finding out whether retailers in the U.S. will be more proactive about moving to a smart-card system, which is much harder to hack, than our current magnet stripe cards. The WSJ reported yesterday that Target 10 years ago halted the rollout of a chip-based payment system because execs in store operations and merchandising "worried that the technology slowed checkout speeds and didn't offer enough marketing benefits." 

Hindsight is always 20-20, isn't it?


Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/21/2014 | 4:09:47 PM
Re: Did this malware target some particular POS platform?
Are Russian authorities likely to do anything about this guy?
David F. Carr
David F. Carr,
User Rank: Strategist
1/21/2014 | 12:41:12 PM
Did this malware target some particular POS platform?
Do we know whether this malware was targeted at a specific POS platform? Or are POS systems so similar, regardless of who makes them, that the software was able to target a range of environments?

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file