Hackers responsible for carrying out a massive theft of credit and debit card information from the retailer Target likely used sophisticated variations of tools that have been circulating in the computer underground for a long time, according to report prepared by cyber security firm iSIGHT Partners and the U.S. Department of Homeland Security.
The report explained that malware aimed at “point of sale,” or POS, machines is sold in black markets and is generally well-known to law enforcement. The popularity of the software, iSIGHT said, may lead to a demand for more custom-made attack tools. In July of 2013 in one marketplace for freelance hackers — think of it as a Craigslist for criminals — as many as 20 percent of the ads were for the creation of POS malware.
In 2010, the average bid for programmers on these programs ranged from $425 to $2,500 during the first half of the year, and by the end of the year had risen to $6,500, according to the report. It doesn’t mention the going rate now.
The report, reviewed by Re/code, named the malware used to hijack the account information as Trojan.POSRAM. As previously reported, the program is known more commonly as a RAM scraper, which captures credit card numbers during a vulnerable moment in the transaction process, when they’re stored unencrypted in the memory of a payment system server.
“The malware is configured to ‘hook’ into these payment application programs to monitor the information they process in memory,” the report says. “These programs are responsible for processing authorization data, which includes full magnetic stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or backend server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data [credit card numbers] when it is stored in RAM and using the RAM-scraping malware to steal it.”
RAM scrapers have been seen in computer security attacks for years. The malware would save credit card numbers into a file, and then send it on to another server, usually a compromised server on the target company’s internal network, which could then be accessed remotely. All of this is standard behavior of RAM-scraping malware.
The sophistication occurred in how the attackers got the data out of the compromised system. The attackers used NetBIOS, an API typically found in networking equipment. They employed what the report describes as “raw commands” to move data around Target’s internal network, and thus worked around standard methods for monitoring network activity. That would have prevented the attackers from being detected.
“This tactic is innovative and new,” the report says. “While some components of the POS data breaches were not technically sophisticated, the operational components were. The cyber criminals displayed innovation and a high degree of skill in orchestrating the various components of the breaches.”