Target says hackers got in by using a vendor’s credentials

library
crime | hacking | security

The hackers who spent the holiday season shopping with at least 70 million stolen credit- and bank-card numbers got at them through one of Target’s vendors, the retailer said on Wednesday.

Target spokeswoman Molly Snyder, as quoted by the Wall Street Journal:

We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials which were used to access our system.

Target didn’t specify how the theft was carried out nor what portal the thieves crept in through to commit the massive theft, which Target first confirmed in mid-December.

But even though Target didn’t give any details of the theft-via-vendor news, its actions point to possible vectors.

Specifically, as the WSJ reported last week, shortly after learning of the attack, Target shuttered remote access to two internal systems: a human resources website called eHR and a database for suppliers called Info Retriever.

A spokeswoman told Network World that in order to secure its network, in addition to turning off remote access to platforms, Target has also updated access controls.

In-depth details that originally came out of the forensic investigation were later scrubbed by security firms, but security blogger Brian Krebs has published copies of the original reports.

At this point, the US Department of Justice (DOJ) is investigating the breach, Attorney General Eric Holder told the US Senate Judiciary Committee on Wednesday.

The DOJ typically doesn’t discuss matters under investigation, Holder said, but it’s making an exception in the case of this massive breach.

He said:

We are committed to working to find not only the perpetrators of these sorts of data breaches – but also any individuals and groups who exploit that data via credit card fraud.

The theft, which apparently started the day before Thanksgiving, 27 November, and reached through the heart of Christmas shopping mania up until 15 December, involved the breach of data including customer names, credit or debit card numbers, card expiration dates, and CVVs (cards’ three-digit security codes).

Target admitted a few weeks ago that it found malware on its point-of-sale (PoS) systems.

Welcome to the poisoned-PoS club, Target. You join recently victimised retailers including craft store Michaels and US luxury retailer Neiman Marcus.

In fact, PoS theft is becoming so widespread that the US Federal Bureau of Investigations (FBI) recently warned retailers about it, saying that it’s been seeing the same type of malware cropping up since 2011.

The agency said that over the past year, it’s seen about 20 cases in which data was stolen using the same type of malware as that inserted onto Target’s credit and debit card swiping-machines, cash registers and other PoS equipment.

It’s not going away anytime soon, that’s for sure: the FBI says the profits are huge, and the PoS malware is both too cheap and too widely available on underground markets for thieves to resist.

Mind you, we don’t actually know yet whether rigged PoS devices are behind either the Target breach or the one that hit Michaels.

It certainly wouldn’t knock anybody’s socks off if PoS malware were to be involved, though.

As SophosLabs researcher Numaan Huq describes in an article about RAM scraper malware, this type of card fraud is ripe for setting us up to get card data plucked from our hands if we pull out the plastic to buy so much as a bar of chocolate.

In fact, “Buy candy, lose your credit card” is the name of a 2014 RSA security conference session in which Numaan and Chester Wisniewski will be presenting a paper on the industrialization of this particular type of card fraud, in February.

I highly recommend reading Numaan’s article about RAM scrapers. It lifts the hood on what one would imagine would/should be end-to-end encryption in PoS systems.