While Target and Neiman-Marcus remain basically silent about their recent data breaches, especially the now infamous “Black Friday” attack, some pertinent information and insights are starting to emerge from the pros looking into this and the entire area of point-of-sale (POS) cyber attacks that are noteworthy. 

With a tip of the hat to iSIGHT Partners, the tools and sophistication of hackers and the vulnerabilities exposed by the recent high-profile data breaches are cause for consternation. They also tend to cast doubt on the continued assurances from Target that they now have things under control, and cry out for a deep technical clarification as to why these assurances care factual.  

Not your “bargain basement” malware

The story making the rounds is that so-called “bargain basement” malware was (pardon the expression) the root cause of the Black Friday data breach. As iSIGHT Partners, working with the U.S. Secret Service has determined, that is not exactly accurate.  They explain, “A persistent, wide-ranging, and sophisticated operation is responsible for malicious software on a number of point-of-sale (POS) systems at retail organizations – this is not just your run-of-the-mill hack.”

How do they know what they know?

According to a need-to-know report released by Federal law enforcement, the software, KAPTOXA (Kar-Toe-Sha), was developed in early 2013. It is the prime suspect here, and the bad news is that the code contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics.  KAPTOXA conceals all data transfers and executions that may have been run. This makes it much harder to detect.

At a high level iSIGHT Partners says there are a few salient items that deserve public visibility given what they know thus far.  First is that many retail organizations may not know that they have been infected, or that they have already lost data.  They go on to say that the identification and dissection of the malicious code provides three immediately important insights:

1. Recent retailer data breaches may not have been targeted attacks, but may well be part of a broader data theft scheme focused on many operators of point-of-sale systems
2. The scope, scale, and reach of recent data breaches is not yet known
3. The attack method represents a new evolution in eCrime, with financially-motivated cyber criminals adopting methods from more sophisticated actors

In what is a “must read” for those seeking the latest insights, the iSIGHT Partners blog on the subject is compelling.  What you need to focus on are the FAQs. Putting aside the ones regarding what this means and the types of data taken, I have pulled out two that resonate.

How does it work? The malicious software, a Trojan, was used as part of a sophisticated attack. It infects local point-of-sale (POS) terminals and monitors POS software for sensitive information. When it finds information, it saves that data to a local file, and then attempts to transfer it over the Internet to receiving parties at a set time. It then deletes the local file to cover its tracks. Most importantly, this malicious software has the ability to receive and execute raw commands over the network. This means it can change, evade discovery, and hide the extent of data theft.

Is the Krebs report accurate? (a reference to work done by security expert Brian Krebs ) The article states that the malware used in the Target breach was “nearly identical” to a type of POS malware known as “BlackPOS.” However, we believe this is a misleading oversimplification…”

Because of the incredible sensitivity of all of the activities revolving around the investigation of these attacks, iSIGHT Partners rightfully has said that it is not a liberty to address whether the attack hitting Target and Neiman Marcus is the one they have described. 

Their sharing highlights that the people who really need to know are retailers, and us, if trust is to be restored, not just for the current companies under siege but for any entity or person that uses POS terminals as the medium for financial transactions.