The scope of the Christmastime Target credit card heist keeps growing as digital detectives track one of the most audacious tech age heists in history to a Russian teenager who tweaked a piece of standard malware, and then sold the malicious code to dozens of Eastern European cyber-criminals.
Target is bracing for a backlash of lost sales after reporting that over 70 million credit cards and other pieces of customer data were compromised during the heaviest shopping period of the year. The thieves grabbed everything – card numbers, pin numbers, security codes – as they were able to gain direct access to the so-called point of service, or POS, terminals familiar to every shopper.
Now, a report from some of the world’s top cyber-detectives suggests that six other retailers may also have been breached. They have not yet been named, although Neiman-Marcus’ disclosure of a breach last week may be connected.
For some American consumers and the big retailers, the thefts helped sour the Christmas season, raising ire and forcing Target, and now perhaps others, to downsize sales expectations for the coming year and reassess their digital security.
Meanwhile, the stolen data is being sold and bought on underground data auctions for around $100 a pop, meaning that consumers are left to sop up the potential credit mess. More broadly, the new revelations suggest that “cybercriminals are still finding gaps in industry security … and how payment card data is handled,” writes Jeremy Kirk in Computer World.
New information from Internet surveillance firms show just how audacious was the heist – basically a one-swipe pickpocket of nearly a quarter of America’s population. And the trail leads to Russia, and a 17-year-old hacker known only as “ree4,” writes Andrew Komarov, the CEO of the cyber-intelligence firm IntelCrawler, in a number of posts. Meanwhile, dozens of attorneys general have launched their own investigations into how Target was duped.
According to security experts, Ree4 took a standard piece of malware known in Russian as “kaptoxa,” Russian slang for “potato,” tweaked it and renamed it BlackPos. The software, which apparently can slip through the staunchest defenses undetected, was first discovered by digital forensic experts last March.
Ree4 sold the software for $2,000 or a 50 percent cut of the profits to about 40 Eastern European hackers, according to Mr. Komarov.
Those hackers, in turn, may have used so-called “brute force” tactics – throwing millions of possible passwords at retail servers until one breaks the code – and then took control of the swipe machine at the counter.
In its Jan. 14 analysis, iSight Partners, a Dallas-based information security firm now advising the US Secret Service, wrote that the attack was two-pronged.
“First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details,” the firm writes. “Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.”
“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” according to the report.
Last week, Target executives announced the No. 3 retailer would be spending $5 million for a consortium of digital security think tanks to help prevent similar attacks in the future.
“Cybersecurity is fast becoming one of the biggest marketplace challenges for businesses, and a huge concern for their customers,” said Mary Power, president and CEO of the Council of Better Business Bureaus, in a statement.
The fact that hackers may have used what’s been called “bargain basement” software to steal credit cards right from under shoppers’ noses may not help immediately stanch what’s become a steady wave of criticism of Target and its handling of the breach.
But the new revelations could ultimately lead retailers to search for more reliable ways to get paid than the point-of-service terminals that are now, despite their ubiquity, apparently increasingly vulnerable.
“Target itself would do well to find the best such alternative and implement it in a high-profile way,” writes Anthony Wing Kosner, in Forbes. “Disruption, however, may be the last thing this beleaguered retailer is thinking about at the moment as it hopes to maintain business as usual.”