Reuters is reporting that Target and Neiman Marcus are not the only retailers that were breached during the holidays. There are at least three more retailers have also been breached. What makes this announcement interesting is some of the information disclosed in this article.
“Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.”
This was reported by Brian Krebs on Christmas Eve. However, based on Brian Krebs’ reporting, it is the Eastern Europeans that are marketing the cards obtained, but they are not necessarily the perpetrators of the actual crime nor are they necessarily be behind the crime. So whether or not Eastern Europeans are the perpetrators is pure speculation at this point. At one point there were reports that the attackers are from Southeast Asia, but those reports are also unconfirmed.
I really do not care who did these attacks. I am more interested in understanding how they were done so that I can advise my clients as to what they need to do to minimize the likelihood that they end up in the news.
“One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.”
“Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.”
We now have an idea of how the crime was committed. The attackers were taking card data out of memory. It also appears that the attackers were using a memory scraper that was already available such as vSkimmer or BlackPOS. However, based on the unnamed law enforcement source, the attackers either modified the malware or used it as a basis for their own malware such that anti-malware solutions would not recognize it as malware.
“One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.”
I found this information the most interesting as it seems to lend credence to my theory that the software was part of an update to the card handling application installed on the POS.
“Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.”
“Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.”
These quotes imply that these were attacks that were traditional hacks of the retailers’ networks from the outside. The problem I have with that is that this speculation does not square with my knowledge of the changes that Target implemented after they were a victim of Albert Gonzalez back in 2007. Target made significant changes that minimized the ability of an outsider being successful in breaching their card processing environment. Not only that, but the PCI DSS push isolating cardholder data environments (CDE) from the Internet. Assuming that all of the retailers involved followed the requirements of the PCI DSS, then they should have properly isolated their CDE and were monitoring it for such attacks. Not that every retailer might have identified an attack on their CDE, but I know that a security aware organization such as Target should have identified such an attack.
Not only that, but we are no longer talking about a single retailer. We now have at least five retailers that are potentially in play and possibly even more. It seems to be awful long odds in my book that we have five retailers all hacked in one way or another and then had the same malware installed. As a former penetration tester, I could see getting one retailer in this way, maybe two retailers. But not five or possibly more with the same or similar methods in the same time frame. Again, it can be done, but would require a lot of time, coordination, people and effort.
Hackers may be sophisticated, but they are like water and typically want to find the path of least resistance to accomplish their goals. Attacking networks with firewalls and monitoring are to be avoided as they take lots of time and effort and the likelihood of getting caught in the process is too high, particularly when we are talking multiple organizations. That is why I go back to compromising the software at the source.
If I were constructing such an attack, I would either infiltrate the POS application vendors for large retailers or coerce an existing employee of those companies to insert my malware in their code. That way my exploit comes directly from the source. The good news for attackers is that there are a limited number of companies that develop the code that most retailers use to handle card transactions, so an attacker would just have to look for the vendor with the customers that would provide the best results.
Since these vendors issue precious few updates, their customers are typically chomping at the bit to obtain those updates and get them rolled out before the holiday season. They are going to be tested heavily, but a smart attacker would have set their malware up to know they are being tested and have the malware remain silent during testing. Once placed into production, the malware would activate and begin collecting card data and sending it back to wherever the attacker decided they wanted to collect it.
Easy peasy. And a lot simpler and easier than hacking networks.
Again, this is all speculation on my part. But knowing how attackers work, I feel my scenario makes much more sense than what is being discussed.