Insights Emerging on 'Black Friday' POS-based Data Breaches

By Peter Bernstein January 16, 2014

While Target and Neiman-Marcus remain basically silent about their recent data breaches, especially the now infamous “Black Friday” attack, some pertinent information and insights are starting to emerge from the pros looking into this and the entire area of point-of-sale (POS) cyber attacks that are noteworthy. 

With a tip of the hat to iSIGHT Partners, the tools and sophistication of hackers and the vulnerabilities exposed by the recent high-profile data breaches are cause for consternation. They also tend to cast doubt on the continued assurances from Target that they now have things under control, and cry out for a deep technical clarification as to why these assurances care factual.  

Not your “bargain basement” malware

The story making the rounds is that so-called “bargain basement” malware was (pardon the expression) the root cause of the Black Friday data breach. As iSIGHT Partners, working with the U.S. Secret Service has determined, that is not exactly accurate.  They explain, “A persistent, wide-ranging, and sophisticated operation is responsible for malicious software on a number of point-of-sale (POS) systems at retail organizations – this is not just your run-of-the-mill hack.”

How do they know what they know?

According to a need-to-know report released by Federal law enforcement, the software, KAPTOXA (Kar-Toe-Sha), was developed in early 2013. It is the prime suspect here, and the bad news is that the code contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics.  KAPTOXA conceals all data transfers and executions that may have been run. This makes it much harder to detect.

At a high level iSIGHT Partners says there are a few salient items that deserve public visibility given what they know thus far.  First is that many retail organizations may not know that they have been infected, or that they have already lost data.  They go on to say that the identification and dissection of the malicious code provides three immediately important insights:

  1. Recent retailer data breaches may not have been targeted attacks, but may well be part of a broader data theft scheme focused on many operators of point-of-sale systems
  2. The scope, scale, and reach of recent data breaches is not yet known
  3. The attack method represents a new evolution in eCrime, with financially-motivated cyber criminals adopting methods from more sophisticated actors

In what is a “must read” for those seeking the latest insights, the iSIGHT Partners blog on the subject is compelling.  What you need to focus on are the FAQs. Putting aside the ones regarding what this means and the types of data taken, I have pulled out two that resonate.

How does it work? The malicious software, a Trojan, was used as part of a sophisticated attack. It infects local point-of-sale (POS) terminals and monitors POS software for sensitive information. When it finds information, it saves that data to a local file, and then attempts to transfer it over the Internet to receiving parties at a set time. It then deletes the local file to cover its tracks. Most importantly, this malicious software has the ability to receive and execute raw commands over the network. This means it can change, evade discovery, and hide the extent of data theft.

Is the Krebs report accurate? (a reference to work done by security expert Brian Krebs The article states that the malware used in the Target breach was “nearly identical” to a type of POS malware known as “BlackPOS.” However, we believe this is a misleading oversimplification…”

Because of the incredible sensitivity of all of the activities revolving around the investigation of these attacks, iSIGHT Partners rightfully has said that it is not a liberty to address whether the attack hitting Target and Neiman Marcus is the one they have described. 

Their sharing highlights that the people who really need to know are retailers, and us, if trust is to be restored, not just for the current companies under siege but for any entity or person that uses POS terminals as the medium for financial transactions. 

Edited by Blaise McNamee
Related Articles

Bloomberg BETA: Models Are Key to Machine Intelligence

By: Paula Bernier    4/19/2018

James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…

Read More

Get Smart About Influencer Attribution in a Blockchain World

By: Maurice Nagle    4/16/2018

The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …

Read More

Facebook Flip-Flopping on GDPR

By: Maurice Nagle    4/12/2018

With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…

Read More

The Next Phase of Flash Storage and the Mid-Sized Business

By: Joanna Fanuko    4/11/2018

Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…

Read More

Satellite Imaging - Petabytes of Developer, Business Opportunities

By: Doug Mohney    4/11/2018

Hollywood has programmed society into believing satellite imaging as a magic, all-seeing tool, but the real trick is in analysis. Numerous firms are f…

Read More