Insights Emerging on 'Black Friday' POS-based Data Breaches


While Target and Neiman-Marcus remain basically silent about their recent data breaches, especially the now infamous “Black Friday” attack, some pertinent information and insights are starting to emerge from the pros looking into this and the entire area of point-of-sale (POS) cyber attacks that are noteworthy. 

With a tip of the hat to iSIGHT Partners, the tools and sophistication of hackers and the vulnerabilities exposed by the recent high-profile data breaches are cause for consternation. They also tend to cast doubt on the continued assurances from Target that they now have things under control, and cry out for a deep technical clarification as to why these assurances care factual.  

Not your “bargain basement” malware

The story making the rounds is that so-called “bargain basement” malware was (pardon the expression) the root cause of the Black Friday data breach. As iSIGHT Partners, working with the U.S. Secret Service has determined, that is not exactly accurate.  They explain, “A persistent, wide-ranging, and sophisticated operation is responsible for malicious software on a number of point-of-sale (POS) systems at retail organizations – this is not just your run-of-the-mill hack.”

How do they know what they know?

According to a need-to-know report released by Federal law enforcement, the software, KAPTOXA (Kar-Toe-Sha), was developed in early 2013. It is the prime suspect here, and the bad news is that the code contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics.  KAPTOXA conceals all data transfers and executions that may have been run. This makes it much harder to detect.

At a high level iSIGHT Partners says there are a few salient items that deserve public visibility given what they know thus far.  First is that many retail organizations may not know that they have been infected, or that they have already lost data.  They go on to say that the identification and dissection of the malicious code provides three immediately important insights:

  1. Recent retailer data breaches may not have been targeted attacks, but may well be part of a broader data theft scheme focused on many operators of point-of-sale systems
  2. The scope, scale, and reach of recent data breaches is not yet known
  3. The attack method represents a new evolution in eCrime, with financially-motivated cyber criminals adopting methods from more sophisticated actors

In what is a “must read” for those seeking the latest insights, the iSIGHT Partners blog on the subject is compelling.  What you need to focus on are the FAQs. Putting aside the ones regarding what this means and the types of data taken, I have pulled out two that resonate.

How does it work? The malicious software, a Trojan, was used as part of a sophisticated attack. It infects local point-of-sale (POS) terminals and monitors POS software for sensitive information. When it finds information, it saves that data to a local file, and then attempts to transfer it over the Internet to receiving parties at a set time. It then deletes the local file to cover its tracks. Most importantly, this malicious software has the ability to receive and execute raw commands over the network. This means it can change, evade discovery, and hide the extent of data theft.

Is the Krebs report accurate? (a reference to work done by security expert Brian Krebs The article states that the malware used in the Target breach was “nearly identical” to a type of POS malware known as “BlackPOS.” However, we believe this is a misleading oversimplification…”

Because of the incredible sensitivity of all of the activities revolving around the investigation of these attacks, iSIGHT Partners rightfully has said that it is not a liberty to address whether the attack hitting Target and Neiman Marcus is the one they have described. 

Their sharing highlights that the people who really need to know are retailers, and us, if trust is to be restored, not just for the current companies under siege but for any entity or person that uses POS terminals as the medium for financial transactions. 

Edited by Blaise McNamee
Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More