Expert who first revealed massive Target hack tells us how it happened

How Was Target Hacked

More unofficial details about the late 2013 Target hack that exposed up to 40 million credit and debit cards and personal data for up to 70 million customers have started to surface, Krebs on Security reports, revealing that a piece of malware that’s “nearly identical” to a 207kb malicious program sold on the black market with prices starting at $1,800 may have been responsible for the massive card data breach.

Called BlackPOS, the program “is a specialized piece of malware designed to be installed on point-of-sale (POS) devices and record all data from credit and debit cards swiped through the infected system.” A more advanced version of BlackPOS offers encryption support for stolen data and retails for $2,300. Even though the creator of BlackPOS is not known, Krebs on Security tried to track the individual, known online as Antikiller, discovering that the hacker may be based in Russia or Ukraine and have ties with various cyber crime activities including distributed denial-of-service (DDoS) attacks and protests linked to the Anonymous group.

It’s not clear whether his software was actually used in the Target attack, but Russian security firm Group-IB has tied BlackPOS to several similar attacks that affected in the past customers of major banks in the U.S. including Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona).

The malware that was used in the Target hack has apparently been installed on POS machines at some point before November 27, with over 40-plus commercial antivirus tools incapable of picking it up. Interestingly, a version of it referred to as “Reedum” by security firm Symantec may have been used in previous attacks dating back to June 2013, and was identified by the FBI as a POS malware program, according to Google’s Virustotal.com malware scanning service.

Antikiller, allegedly the seller or BlackPOS, a POS-targeting malware "nearly identical" to the one used in the Target attacks | Image credit: Krebs on Security

Antikiller, allegedly the seller or BlackPOS, a POS-targeting malware “nearly identical” to the one used in the Target attacks | Image credit: Krebs on Security

Sources familiar with the investigation said that the software tools that were used in the attack were specifically designed to avoid detection. While it’s not clear how hackers managed to upload the malicious code on the POS machines, it’s known that the attackers were able to compromise a web server, which was then used to store data taken from POS devices.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation said. “They basically had to keep going in and manually collecting the dumps.”

As for the software running on POS machines, it is believed Target, like other U.S. stores, have “traditionally used a home-grown software called Domain Center of Excellence which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS).” Once installed on POS devices, such malicious programs are able to capture the data on the magnetic stripe on credit and debit cards while it’s in the system memory immediately after a card has been swiped at the POS.

While Target is yet to reveal any specific details about the cyber attack it suffered, the company is offering one year of free credit monitoring and identity theft protection. Furthermore, if you think you’re one of the 70 million affected customers whose data may have been stolen, here’s what you need to do.

blog comments powered by Disqus