Target US Stores Suffer Massive Data Breach UPDATED

Target US Stores Suffer Massive Data Breach UPDATED

Update:01/13 – Target CEO and President Gregg Steinhaffel confirmed in an interview with CNBC that the store’s PoS (point-of-sale) terminals were infected with malware, which has since been removed. “What we do know was there was malware installed on our point-of-sale registers. That much we’ve established,” he said during the interview. “We removed that malware so that we could provide a safe and secure shopping environment.”

Read the full letter that’s currently being given to Target shoppers below.

target_letter
 Image: Joe Raedle/Getty Images

Update:12/30 – Target has verified that PIN numbers were stolen during the breach. However, Target representatives have stated this information—along with customer names and card numbers—was all encrypted within their systems.

Nevertheless, we would recommend both card and PIN numbers be changed if you were a victim during the attack.

ORIGINAL STORY:

By now you may have heard reports about a security breach affecting some 40 million customer debit/credit cards used at the Minneapolis-based retail store Target.

TargetLogo

Initial reports of the breach had stated it started sometime around Black Friday. Security expert Brian Krebs was one of the first to report on the incident, and the story was featured on Good Morning America today.

“From the bad guy’s perspective, that is the perfect day to launch an attack,” Krebs said of the Black Friday attack. “The more traffic you have, the more deals you have. [You have] more people swiping their cards.”

Krebs also mentioned how cyber-criminals may be able to reproduce cards belonging to victims of the breach, provided they criminals had access to PIN data along with the stolen numbers contained on the magnetic stripe.

Target, the second-largest retailer in the U.S., was quick to respond and published a blog this morning that confirms the attacks had occurred between November 27 and December 15.

“Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”

Considering this, it’s only natural to wonder how this could have happened, and continued for nearly three weeks. Unfortunately, there haven’t been many details released surrounding the breach.

Large-scale data breaches continue to be on the rise. In 2007, TJX, who owns T.J. Maxx and Marshalls, suffered a breach that compromised more than 45 million card numbers and reportedly cost the company $256 million.

But today’s breaches can be even more threatening, and even streamlined with the adaption of PoS (Point of Sale) malware like ‘Dexter’.

Dexter was first discovered about a year ago by Israeli security researchers at Seculert. The malware works by scanning processes in PoS systems and looking within memory dumps for Track1 or Track2 credit card information (tracks contain data within the magnetic stripe of a card).

background, banking, business, buy, card, chip, commercial, credit, currency, customer, debt, electronic, finance, hand, isolated, keypad, machine, mobility, money, motion, paying, payment, pin, plastic, pos, pos-terminal, processing, purchase, reader, retail, sale, shopping, smart, store, technology, terminal, white

Dexter campaigns are still on the move, and the malware has since undergone several version revisions.

One version of the malware is known as “Stardust”, and has recently been spotted being used as a botnet that affecting more than 20,000 payment cards, according to InterCrawler.

The folks at Arbor networks have done a good job tracking the malware’s development along with its campaigns, and summarizes a lot of good information about it here.

Another type of PoS malware is known as “vSkimmer” and was discovered by McAfee earlier this year. The vSkimmer malware works by creating a processes “whitelist”, and then scanning those processes not on the whitelist, looking to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}\??” to extract any credit card information on the device.

Along with PoS malware, there are also reports of PoS hacking have also emerged. Back in 2012, two Romanian hackers plead guilty to over $10 million dollars of theft from Subway restaurants. The two hackers would crack passwords on PoS terminals and then install keyloggers and sniffers to collect payment card data.

It’s easy to speculate that something similar might have happened with Target, although the details of the breach are currently not available.

The investigations is ongoing, and hopefully with more information to come in the days following. Target has also confirmed they’ve reached out to a third-party forensics firm, which will likely provide more details.

In light of these events, however, consumers are likely wondering how to keep themselves out of a cyber-criminal’s hands. While this list is far from being exhaustive, there are some easy steps our readers can take to help maintain their own financial security.

  • Don’t use your card at a business you don’t trust
  • Change your card numbers at least once per year, even if it’s not expired
  • When making online purchases, avoid storing your card information, and ensure your submitted transactions are over a secure connection.
  • If a data breach has occurred somewhere you’ve recently shopped, change your number right away, and monitor your credit report and bank accounts frequently until the dust settles.

We’ll keep you updated here as we learn more.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. Follow him on Twitter @joshcannell

ABOUT THE AUTHOR

Joshua Cannell

Malware Intelligence Analyst

Gathers threat intelligence and reverse engineers malware like a boss.