Page 39 - GS140201
P. 39
ChapterTitleCoverStory
The BlackPOS attack vector Threat landscape in the crosshairs
Target confirmed that its recent hack was the result of malware loaded onto
Security firm IntelCrawler reported Target's POS terminals. But Bloodworth said the only way that malware was
that the malware used in the Target installed was by hackers first gaining access to Target's back-end network.
attack was inexpensive, off-the-shelf
software called BlackPOS. According A webinar held Jan. 15, 2013, and hosted by the law firm of Baker & Hostetler
to IntelCrawler researchers, BlackPOS LLP detailed the types of malware attacks prevalent today. In Managing
was created by a Russian teenager in Cardholder Data Security Risks in an Evolving Payments Landscape, Marshall
March 2013 and was originally called Heilman, Principal Consultant at Mandiant Corp., outlined several variants of
Kaptoxa, which is Russian slang for "ram scraper" attacks − memory scraping malware that can be injected directly
"potato." into the software of POS terminals or, more popularly, into retailers' back-office
servers connected to those terminals.
BlackPOS was first used to infect POS
environments in Australia, Canada "It's smarter for the attacker to install the malware on the point-of-sale server,"
and the United States, the researchers Heilman said. "That way he can harvest all cards processed at that single store
found. Over 40 variations of rather than having to do each register individually."
BlackPOS have reportedly been sold
via black market sites to fraudsters in Another popular attack vector is called backdoor variant #2. Heilman said
Eastern Europe and other countries. it is malware disguised as a common server application, such as the Apache
The BlackPOS creator apparently sold Benchmark utility, that runs surreptitiously in the background and steals data.
the malware for $2,000 per copy or 50
percent of the profits from the sale of But a simpler attack, called backdoor variant #3, involves a fraudster who gains
hacked credit card numbers. This was access to a so-called secure environment where sensitive data is stored – for
arranged using the alleged money example, a retailer's virtual private network that conveys transaction data.
laundering organization Liberty Hackers obtain system administrator credentials, such as login name and
Reserve, which was shut down in password, to pose as legitimate users logging into systems remotely, Heilman
May 2013 by U.S. authorities. said.
Another security researcher, Seculert,
discovered that the BlackPOS attack
on Target came in two stages. First,
the malware infected Target's POS
terminals and extracted cardholder
data. The malware then remained
undetected for six days before it
began to transmit the stolen data to an
external server via another infected
machine within the Target network.
On further analysis, Seculert found
that on Dec. 2, 2013, "the malware
began transmitting payloads of stolen
data to a FTP server of what appears
to be a hijacked website." These
transmissions apparently occurred
several times per day over a two-
week period. That information was
then transmitted from the FTP to a
virtual private server in Russia.
During that time, a total of 11
gigabytes of data was stolen, Seculert
said. "While none of this data
remains on the FTP server today,
analysis of publicly available access
logs indicates that Target was the
only retailer affected," the researchers
added. "So far there is no indication
of any relationship to the Neiman
Marcus attack."
39
39
The BlackPOS attack vector Threat landscape in the crosshairs
Target confirmed that its recent hack was the result of malware loaded onto
Security firm IntelCrawler reported Target's POS terminals. But Bloodworth said the only way that malware was
that the malware used in the Target installed was by hackers first gaining access to Target's back-end network.
attack was inexpensive, off-the-shelf
software called BlackPOS. According A webinar held Jan. 15, 2013, and hosted by the law firm of Baker & Hostetler
to IntelCrawler researchers, BlackPOS LLP detailed the types of malware attacks prevalent today. In Managing
was created by a Russian teenager in Cardholder Data Security Risks in an Evolving Payments Landscape, Marshall
March 2013 and was originally called Heilman, Principal Consultant at Mandiant Corp., outlined several variants of
Kaptoxa, which is Russian slang for "ram scraper" attacks − memory scraping malware that can be injected directly
"potato." into the software of POS terminals or, more popularly, into retailers' back-office
servers connected to those terminals.
BlackPOS was first used to infect POS
environments in Australia, Canada "It's smarter for the attacker to install the malware on the point-of-sale server,"
and the United States, the researchers Heilman said. "That way he can harvest all cards processed at that single store
found. Over 40 variations of rather than having to do each register individually."
BlackPOS have reportedly been sold
via black market sites to fraudsters in Another popular attack vector is called backdoor variant #2. Heilman said
Eastern Europe and other countries. it is malware disguised as a common server application, such as the Apache
The BlackPOS creator apparently sold Benchmark utility, that runs surreptitiously in the background and steals data.
the malware for $2,000 per copy or 50
percent of the profits from the sale of But a simpler attack, called backdoor variant #3, involves a fraudster who gains
hacked credit card numbers. This was access to a so-called secure environment where sensitive data is stored – for
arranged using the alleged money example, a retailer's virtual private network that conveys transaction data.
laundering organization Liberty Hackers obtain system administrator credentials, such as login name and
Reserve, which was shut down in password, to pose as legitimate users logging into systems remotely, Heilman
May 2013 by U.S. authorities. said.
Another security researcher, Seculert,
discovered that the BlackPOS attack
on Target came in two stages. First,
the malware infected Target's POS
terminals and extracted cardholder
data. The malware then remained
undetected for six days before it
began to transmit the stolen data to an
external server via another infected
machine within the Target network.
On further analysis, Seculert found
that on Dec. 2, 2013, "the malware
began transmitting payloads of stolen
data to a FTP server of what appears
to be a hijacked website." These
transmissions apparently occurred
several times per day over a two-
week period. That information was
then transmitted from the FTP to a
virtual private server in Russia.
During that time, a total of 11
gigabytes of data was stolen, Seculert
said. "While none of this data
remains on the FTP server today,
analysis of publicly available access
logs indicates that Target was the
only retailer affected," the researchers
added. "So far there is no indication
of any relationship to the Neiman
Marcus attack."
39
39
