Independent security researcher Brian Krebs - who specialises in ATM, EFTPOS and other forms of cybercrime - has been analysing the Target payment card leak, in which at least 40 million sets of card credentials were stolen by cybercriminals.
As reported previously, Target - the US equivalent of Sainsbury here in the UK - was hit by a card data breach when cybercriminals managed to install malware on its store EFTPOS terminals scattered across the United States. The event, which was revealed the week before Christmas, was described ex-Sophos consultant and security analyst Graham Cluley as one of the biggest for several years.
Krebs - who broke the story last month - now says that the criminals behind the attack and subsequent breach were using a memory scraping malware suite known as BlackPOS, which reortedly sells on the black market for around £1,100 (US$ 1,800). This type of code actively searches for credit card credential-style number patterns in the memory of the computers used - and typically exfiltrates that data to the hacker's servers.
The security researcher says his sources tell him that the cybercriminals broke in to Target's systems after cracking a company Web server, then they managed to upload the POS malware to the EFTPOS/PINpad machines located at Target's stores.
They even, he claims, managed to establish a control server inside Target's internal network that served as a central repository for data harvested by all of the infected point-of-sale devices.
According to James Forshaw, Head of Vulnerability Research with Context IS, Krebs linked to a US-CERT advisory in his report that offers sound advice on how EFTPOS terminals can be deployed securely.
"Many tills seen in Target's stores appear to be Windows-driven units and Brian says that data from these units was memory scraped," he said, adding that the data was then egressed to the criminal's Command&Control server.
This type of behaviour, he told SCMagazineUK.com, can be countered through the use of inbound/outbound firewalls, as well as deploying good Ethernet or IPsec security measures.
Embedded operating systems - such as those seen in bank ATMs - he says, would also not protect against malware insertions, as even the best embedded systems have no lockdown technologies in place, meaning that a compromised version of the operating system could be installed.
"The most interesting takeout from this story for me is that the Target systems were a networked POS (Point of Sale) system, using a centralised network. Ideally such a network should be fully PCI compliant," he said, adding that it remains to be seen whether this is the case.
Peter Wood, CEO of First Base Technologies, the pen testing specialist, said he was equally interested to read Krebs' latest report, adding that the criminals appear to have staged a series of attacks on Target's POS terminals.
"In some instances we have seen, thieves have used social engineering techniques to swap out the entire hardware of the PIN and EFTPOS terminals. This, however, is the first time we've seen a software-driven attack," he said.
"We have had a few clients that have been concerned about being hit by a malware attack of this type. Really, the only way to defend against this is to install network analysis technology within the corporate internal network. So often, we've found that external attacks are blocked, yet the company has little or no internal network analysis and security systems in play," he added.