Insights Emerging on 'Black Friday' POS-based Data Breaches

By Peter Bernstein January 16, 2014

While Target and Neiman-Marcus remain basically silent about their recent data breaches, especially the now infamous “Black Friday” attack, some pertinent information and insights are starting to emerge from the pros looking into this and the entire area of point-of-sale (POS) cyber attacks that are noteworthy. 

With a tip of the hat to iSIGHT Partners, the tools and sophistication of hackers and the vulnerabilities exposed by the recent high-profile data breaches are cause for consternation. They also tend to cast doubt on the continued assurances from Target that they now have things under control, and cry out for a deep technical clarification as to why these assurances care factual.  

Not your “bargain basement” malware

The story making the rounds is that so-called “bargain basement” malware was (pardon the expression) the root cause of the Black Friday data breach. As iSIGHT Partners, working with the U.S. Secret Service has determined, that is not exactly accurate.  They explain, “A persistent, wide-ranging, and sophisticated operation is responsible for malicious software on a number of point-of-sale (POS) systems at retail organizations – this is not just your run-of-the-mill hack.”

How do they know what they know?

According to a need-to-know report released by Federal law enforcement, the software, KAPTOXA (Kar-Toe-Sha), was developed in early 2013. It is the prime suspect here, and the bad news is that the code contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics.  KAPTOXA conceals all data transfers and executions that may have been run. This makes it much harder to detect.

At a high level iSIGHT Partners says there are a few salient items that deserve public visibility given what they know thus far.  First is that many retail organizations may not know that they have been infected, or that they have already lost data.  They go on to say that the identification and dissection of the malicious code provides three immediately important insights:

  1. Recent retailer data breaches may not have been targeted attacks, but may well be part of a broader data theft scheme focused on many operators of point-of-sale systems
  2. The scope, scale, and reach of recent data breaches is not yet known
  3. The attack method represents a new evolution in eCrime, with financially-motivated cyber criminals adopting methods from more sophisticated actors

In what is a “must read” for those seeking the latest insights, the iSIGHT Partners blog on the subject is compelling.  What you need to focus on are the FAQs. Putting aside the ones regarding what this means and the types of data taken, I have pulled out two that resonate.

How does it work? The malicious software, a Trojan, was used as part of a sophisticated attack. It infects local point-of-sale (POS) terminals and monitors POS software for sensitive information. When it finds information, it saves that data to a local file, and then attempts to transfer it over the Internet to receiving parties at a set time. It then deletes the local file to cover its tracks. Most importantly, this malicious software has the ability to receive and execute raw commands over the network. This means it can change, evade discovery, and hide the extent of data theft.

Is the Krebs report accurate? (a reference to work done by security expert Brian Krebs The article states that the malware used in the Target breach was “nearly identical” to a type of POS malware known as “BlackPOS.” However, we believe this is a misleading oversimplification…”

Because of the incredible sensitivity of all of the activities revolving around the investigation of these attacks, iSIGHT Partners rightfully has said that it is not a liberty to address whether the attack hitting Target and Neiman Marcus is the one they have described. 

Their sharing highlights that the people who really need to know are retailers, and us, if trust is to be restored, not just for the current companies under siege but for any entity or person that uses POS terminals as the medium for financial transactions. 

Edited by Blaise McNamee
Related Articles

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More