The Target data breach may be just the tip of the iceberg in what seems to be a massive sophisticated attack on U.S. retailers that may have possibly originated in Russia, according to newly discovered evidence. The Wall Street Journal reports that federal and private investigators who are looking into the matter have discovered that parts of the malware used to hit Target has been available on the black market since last spring, and was written in Russian, leading them to believe the attack may have ties to organized crime in the former Soviet Union.
The investigators have also revealed that any known antivirus software couldn’t detect the malware used, with hackers having also added in features that covered the fact that they were actually copying data from the credit and debit cards swiped in point-of-sale (POS) machines. Interestingly, the malware was programmed to steal data during prime business hours (i.e from 10:00 a.m. to 5:00 p.m. local time) and store it on an internal Target server that was also controlled by the hackers.
“What’s really unique about this one is it’s the first time we’ve seen the attack method at this scale,” iSight Partners senior vice president Tiffany Jones said. “It conceals all the data transfers. It makes it really hard to detect in the first place.”
Some of these newly revealed details confirm what a recent Krebs on Security report said, although we’re now getting a better idea of the scope of the Target attack. Neither Krebs on Security, nor the investigators cited by the Journal have revealed how the malware was actually injected into Target’s POS machines.
iSight on Thursday issued its own report on the KAPTOXA (name of program written in Russian) POS malicious software it discovered, acknowledging the fact that it’s investigating the matter with the U.S. Secret Service. The security company warns retailers that the malware “has potentially infected a large number of retail information systems,” and they should contact the Secret Service and the company in case they believe they were infected. The security firm also advises consumers to keep an eye for fraudulent bank transactions and to avoid opening any emails or links that may have been sent by their banks or financial institutions, and instead contact those institutions via telephone or website.
Finally, Reuters on Friday exclusively reported that six ongoing attacks similar to the one suffered by Target have discovered by security firm IntelCrawler, although actual names of the companies involved were not revealed at the time this article was written.