Hackers responsible for carrying out a massive theft of credit and debit card information from the retailer Target likely used sophisticated variations of tools that have been circulating in the computer underground for a long time, according to report prepared by cyber security firm iSIGHT Partners and the U.S. Department of Homeland Security.

The report explained that malware aimed at “point of sale,” or POS, machines is sold in black markets and is generally well-known to law enforcement. The popularity of the software, iSIGHT said, may lead to a demand for more custom-made attack tools. In July of 2013 in one marketplace for freelance hackers — think of it as a Craigslist for criminals — as many as 20 percent of the ads were for the creation of POS malware.

In 2010, the average bid for programmers on these programs ranged from $425 to $2,500 during the first half of the year, and by the end of the year had risen to $6,500, according to the report. It doesn’t mention the going rate now.

The report, reviewed by Re/code, named the malware used to hijack the account information as Trojan.POSRAM. As previously reported, the program is known more commonly as a RAM scraper, which captures credit card numbers during a vulnerable moment in the transaction process, when they’re stored unencrypted in the memory of a payment system server.

“The malware is configured to ‘hook’ into these payment application programs to monitor the information they process in memory,” the report says. “These programs are responsible for processing authorization data, which includes full magnetic stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or backend server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data [credit card numbers] when it is stored in RAM and using the RAM-scraping malware to steal it.”

RAM scrapers have been seen in computer security attacks for years. The malware would save credit card numbers into a file, and then send it on to another server, usually a compromised server on the target company’s internal network, which could then be accessed remotely. All of this is standard behavior of RAM-scraping malware.

The sophistication occurred in how the attackers got the data out of the compromised system. The attackers used NetBIOS, an API typically found in networking equipment. They employed what the report describes as “raw commands” to move data around Target’s internal network, and thus worked around standard methods for monitoring network activity. That would have prevented the attackers from being detected.

“This tactic is innovative and new,” the report says. “While some components of the POS data breaches were not technically sophisticated, the operational components were. The cyber criminals displayed innovation and a high degree of skill in orchestrating the various components of the breaches.”


Wasn't the the Verifone CEO trashing Square for not being secure? Almost all the terminals at Target are VeriFone. Have they responded yet?


Seems to me that the logical path of defense is to have a team dedicated to "PEN" testing in the extreme. ie; the team would attempt the "unthinkable" then derive detection and protection protocols.

Of course the team members would have to be incarcerated in something like Guantanamo, Alcatraz or Glasgow AFB, Montana (now decommissioned.)

Or!! The arrested and convicted bad guys could be paid millions of YEN to conduct war against the rouge bad guys. Paid a bounty for each one they catch and is subsequently convicted.

Of course all trials would be conducted in Iran under Sharia Law and Punishment.


More interestingly, how did the bad guys get software onto the POS terminals?    That seems like the harder part of the hack.     One would assume that if the bad guys can get software running on these POS terminals deep inside of a company network, they will figure out how to get the information out.

Has the government issued report been posted on the Internet?   Has only its existence been leaked?    All software developers can probably learn a thing or two from reading this mysterious report.


@stow That's an issue I would like to see clarified as well.  The article above implies that the malware was not on the PoS terminals, but rather on the payment processing terminals.  But I've seen other write-ups of the report that indicated the malware resided on the terminals themselves.  I would have to believe that the former is far more logistically feasible.


Get every new post delivered to your Inbox.

Join 309,301 other followers