Target store
January 17, 2014

Target Breach Used Garden Variety Malware

Enid Burns for - Your Universe Online

Hackers who were able to gather credit card data on over 70 million Target shoppers during the 2013 holiday shopping season were able to do so using garden variety malware. It didn't take any special code to get the "off the shelf" malware to breach the big box retailer's systems, according to Forbes.

It was no storybook holiday for Target. The retailer discovered in December that it was the victim of a large-scale security breach that was originally estimated to have obtained credit card data from 40 million customers. With the swipe of a credit card, customers unwittingly handed sensitive information including customer name, credit or debit card number, the expiration date and the CVV three-digit security code to hackers. After the Christmas decorations came down and returns started to subside, Target revealed that the breach affected 70 million more accounts, though it is suspected that there is some overlap in the total 110 million. Still, it is said that the breach is the largest of its kind.

New evidence shows that the malware used to infiltrate Target's systems was entirely ordinary - as far as malware designed to slurp up financial data for its hackers goes. Brian Krebs from KrebsonSecurity provides analysis on the software, which can be obtained for between $1,800 and $2,300 - depending on whether a hacker wants the budget or full version of the crimeware.

The breach involved memory-scraping malware. "This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants," Krebs wrote.

The malware was installed on the embedded Windows OS computers on the point-of-sale (POS) terminals in all of target's US stores, Forbes reports. The software was able to store and grab the information from the magnetic strip of each credit card swiped. Data was stored while it was temporarily on the POS machine, before it was encrypted and sent to financial institutions for verification. The information was stored until it could be retrieved in batches through a persistent remote connection, Forbes' Anthony Wing Kosner explained.

Hackers were able to manage their whole operations by keeping an open channel to every POS terminal at every Target store via Target's central data network.

Target was not the only retailer that experienced a breach over the 2013 holiday shopping season. Neiman Marcus reported a breach that had occurred during the holiday season. Sources say that at least three additional retailers also experienced a security breach in the same time period, but have yet to come forward and make their customers aware.