POS Systems Targeted in Retailer Data Thefts

The hackers responsible for the wave of breaches at big retailers this holiday season very likely began testing a method to infect thousands of point-of-sale systems in big retail chains in January 2013.

"This is a well-funded adversary taking their time to develop very specific malware to go after very specific targets and a big payday," says Chris Petersen, chief technology officer at security intelligence firm LogRhythm. "This is organized crime applied to cybercrime."

Last April, Visa issued an alert to retailers about network intrusions targeting POS data at grocery merchants in early 2013. The technique discovered by the payment card giant involved installing a memory-parsing program on Windows-based cash register systems and back-of-house (BOH) servers. The clever piece of malware was designed to extract data from magnetic-striped payment card transactions.

By last November security analysts and forensic investigators were quietly discussing cases of big retail chains getting hit by memory parsing attacks, says Avivah Litan, banking security analyst at Gartner.

"I can't give you names, but there were others hit," Litan says. "Target got hit the biggest."

The breaches of customer databases at Target, Neiman Marcus and other yet-to-be-disclosed retail chains have all the earmarks of a methodical attack used in cyber espionage known as an Advanced Persistent Threat.

An APT attack often begins with intelligence gathering. Researchers tap search engines and social media Web sites to build dossiers on employees likely to have privileged access to wide parts of a company network. Personalized e-mails carrying a viral PDF attachment or Web link get sent. A tried-and-true ruse: trick a subordinate into following orders from his or her superior to click on the viral payload.

With control of the right logon and password, the attackers gain privileged access to sensitive databases and internal applications.

"This is a huge wake-up call for companies to think about security from...

Comments are closed.