Federal Investigators Warn Retailers: If You Have a POS System in Operation, You May be at Risk

Federal Investigators Warn Retailers: If You Have a POS System in Operation, You May be at Risk

Hang on to your credit cards and start checking your free credit reports: The latest news about retail breaches is not good.

Numerous sources are now reporting that the recent Target and Neiman Marcus data breaches may be the tip of the cyber heist iceberg, and there are likely more related breaches that have not yet been announced.

Writing in BankInfoSecurity, Tracy Kitten reports that banks that issue credit cards say fraud patterns may reveal additional breaches at other well-known brands—possibly a leading hotel company and a restaurant chain. Banks are often the first ones to detect retail breaches, even before the merchants themselves realize what is happening.

Target CEO Gregg Steinhafel confirmed that the breach that occurred within his company in the busy holiday shopping season was caused by malware attached to point of sale devices at Target stores. However, Target is not alone in its misery. The Wall Street Journal is reporting that federal and private investigators are notifying financial services companies and retailers that the Target breach is part of a broad and highly sophisticated international hacking campaign against multiple retailers.

The cybersecurity company iSight Partners Inc. is working with the U.S. Department of Homeland Security to investigate the campaign. They are not yet releasing details of their ongoing investigation to the public, but they have issued warnings to merchants about malicious software that potentially has infected a large number of retail information systems.

The malware, dubbed KAPTOXA (Kar-Toe-Sha), is partially written in Russian, leading investigators to believe the attacks may have ties to organized crime in the former Soviet Union. Other revelations from the investigation include:

  • Target's credit card readers had been on the black market since the early 2013 and were partly written in Russian.
  • Malware used in the attack couldn't be detected by antivirus software.

In a Wired magazine article, Kim Zetter outlined how the malware works:

The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and stores it on the victim’s own system for later retrieval.

The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory because some companies transmit card data via a secured channel inside their corporate network, which would prevent the attackers from sniffing the data in transit.

The siphoned data is stored on the system, and then every seven hours the malware checks the local time on the compromised system to see if it’s between the hours of 10 a.m. and 5 p.m. If so, it attempts to send the data over a temporary NetBIOS share to an internal host inside the compromised network so the attackers can then extract the data over an FTP — file transfer protocol — connection.

Experts with iSight have said “the operational sophistication of the compromise activity makes this case stand out. The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity.”

For Target, Nieman Marcus and apparently a few other merchants, the damage has been done. The question is whether or not other retailers will slam into this iceberg and sink.