Search the Community
Showing results for tags 'Target'.
Turk posted a topic in Security & Privacy NewsLos Angeles, California - January 17, 2014 The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack. Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013. The first report on this malware was done in the beginning of spring by Andrew Komarov, IntelCrawler CEO, when he was working in another forensics company. According to own sources of IntelCrawler the first infected Point-of-Sales environments by BlackPOS were in Australia, Canada and the US. The first name of the malware was a lyric "Kaptoxa" ("potatoe" - in russian slang), which then was renamed to "DUMP MEMORY GRABBER by Ree" for forums postings, but the title for C&C had string "BlackPOS". During that time, "Ree" ("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve. [email protected]: http://ree4.7ci.ru/dump_grabber.php [email protected]: it is administrative panel [email protected]: password "pass" [email protected]: http://www.sendspace.com/file/zglgvy [email protected]: after infection you will receive "readme.txt", like "ping" The first C&C server of BlackPOS was installed on "ree4.7ci.ru", which was the personal host of its author with nickname "ree". Some other hosts were found on this domain name, as probably it was used as a hosting for all members of the same group: - onlyddos.7ci.ru; - merzavetz.7ci.ru; - reperckov41.7ci.ru. [email protected]: http://plasmon.rghost.ru/44699041/image.png hidden: how does it keep the data ( intercepted credit cards)? [email protected]: from left side it is files, time.txt, then you click on it and you will find dumps in browser in plaintext hidden: are there any differences in terms of infected Point-of-Sale systems? [email protected]: no, but there are some nuances, for examples it doesn't work on Verifone hidden: really? I have Verifones ... [email protected]: it grabs dumps from memory, Verifone can be connected to PC, but it will be "secured", you need standalone Point-of-Sale terminals with monitor and Windows hidden: how much? [email protected]: 2000 USD [email protected]: 1st build Previously he has created several tools used in hacking community for brute force attacks, such as "Ree4 mail brute", and also earned some first money with social networks accounts hacking and DDoS attacks trainings, as well as software development including malicious code. Investigators from IntelCrawler have also made a profiling on bad actor: E-mail 1: [email protected] E-mail 2: [email protected] ICQ: 565033 Skype: s.r.a.ree4 According to operative information from IntelCrawler, the person behind the nickname "ree" is Sergey Taraspov, having roots in St.Petersburg and Nizhniy Novgorod (Russian Federation), very well known programmer of malicious code in underground. "He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers", comments Dan Clements, IntelCrawler President. Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with week passwords such as: "pos":"pos"; "micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware); "edc":"123456" (EDC - Electronic Draft Capture). February 9th, 2013, 14:30 URL:http://www.rf-cheats.ru/forum/archive/index.php/t-156884.html IP Address: 126.96.36.199 Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.052230, -118.243680 Connection: 26 INTERNATIONAL INC Net Speed: (COMP) Company/T1 IDD & Area Code: 213/310/424/323 ZIP Code: 90001 Weather Station: LOS ANGELES (USCA0638) IP Address: 188.8.131.52 Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.002300, -118.211520 Connection: DESIGN COLLECTION Net Speed: (COMP) Company/T1 IDD & Area Code: 213/323 ZIP Code: 90058 Weather Station: LOS ANGELES (USCA0638) Usage Type: (COM) Commercial February 21th, 2013, 13:36 IP Address: 184.108.40.206 Location: UNITED STATES, NEW YORK, FAIRPORT Latitude & Longitude: 43.088572, -77.432766 Connection: PAETEC COMMUNICATIONS INC. Domain: PAETEC.COM Net Speed: (DSL) Broadband/Cable IDD & Area Code: 585 ZIP Code: 14450 Weather Station: FAIRPORT (USNY0477) May 21th, 2013, 18-26 URL: http://d3scene.ru/besplatnye-razdachi-i-pooschreniya/49081-razdacha-dedikov.html IP Address: 220.127.116.11 Location:UNITED STATES, COLORADO, LONE TREE Latitude & Longitude: 39.546295, -104.896772 Connection: TW TELECOM HOLDINGS INC. Domain: TWTELECOM.NET Net Speed: (COMP) Company/T1 IDD & Area Code: 303 ZIP Code: 80124 Weather Station: PARKER (USCO0306) According to The New York Times (NYT) Neiman Marcus acknowledged that the time stamp on the first intrusion was in mid-July, which may have good correlation with found compromised Point-of-Sales. July 19th, 2013 URL: http://freegaming.ucoz.net/news/razdacha_dedikov/2013-07-19-3 "EDC" - Electronic Draft Capture, also known as "EDC" or "Point Of Sale" (POS) allows you to capture and authorize a credit card. IP Address: 18.104.22.168 Location: UNITED STATES, ARIZONA, TUCSON Latitude & Longitude: 32.044150, -110.734770 Connection: PRIVATE CUSTOMER Net Speed: (COMP) Company/T1 IDD & Area Code: 520 ZIP Code: 85747 Weather Station: TUCSON (USAZ0247) September 22nd, 2013, 15:52 URL: http://ccc.gs/topic/2405-razdacha-dedikov/ IP Address: 22.214.171.124 Location: UNITED STATES, CALIFORNIA, VALENCIA Latitude & Longitude: 34.406069, -118.535302 Connection: TCAST COMMUNICATIONS INC Domain: COGENTCO.COM Net Speed (DSL): Broadband/Cable IDD & Area Code: 661 ZIP Code: 91355 Weather Station: STEVENSON RANCH (USCA1095) "Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them", commented Andrew Komarov, IntelCrawler CEO. About IntelCrawler IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat. http://intelcrawler.com/about/press08
Reefa posted a topic in Security & Privacy NewsAs Target continues to deal with the consequences of its massive data breach last year, the company is accelerating plans to move to a full chip-and-pin system for its branded credit and debit cards, and also plans to have terminals capable of accepting chip-and-pin cards in all of its nearly 2,000 stores by September. The Target data breach, which involved the compromise of information belonging to 110 million people, is considered one of the larger such incidents ever. Attackers initially compromised the company’s network through the use of credentials belonging to an HVAC vendor and then moved through Target’s systems and eventually got access to the massive cache of data. As part of the response to the breach, Target officials said earlier this year that they were planning to make some significant changes to the company’s security infrastructure and also planned to roll out the chip-and-pin initiative. Those plans now are ahead of the initial schedule, officials said. The company estimates that all of its REDcard branded credit and debit cards will be converted to chip-and-pin by early 2015, and that there will be compatible terminals in all of its stores within the next five months. “Target has long been an advocate for the widespread adoption of chip-and-PIN card technology,” said John Mulligan, executive vice president and chief financial officer at Target. “As we aggressively move forward to bring enhanced technology to Target, we believe it is critical that we provide our REDcard guests with the most secure payment product available. This new initiative satisfies that goal.” Along with the card initiative, Target also has been implementing a number of changes and upgrades to the security of its network and point-of-sale systems. The retailer has deployed application whitelisting technology to all of its PoS systems, better segmented its network, expanded the use of two-factor authentication and restricted vendor access to its network by disabling some connection methods such as FTP and telnet. Target also announced that it has hired a new CIO, Bob DeRodes, a veteran of companies such as NCR, First Data, CitiBank, USAA and Home Depot. DeRodes will be responsible for the company’s continued security changes and overall technology initiatives. Source
geeteam posted a topic in Security & Privacy NewsThe United States government has sent a confidential, 16-page document to major retailers that outlines how hackers infiltrated Target's data systems late last year and made off with sensitive information belonging to over 70 million customers. As the investigation into that breach continues, the government is sharing some of what it's learned so far. According to CNBC, the report reveals that the malware which infected Target was "partly written in Russian" and that the perpetrators "displayed innovation" and "a high degree of skill." The bulletin tells merchants how they can identify the methods and malicious software used in the attack, Reuters says, which Target's anti-virus tools ultimately failed to pick up on. Little else is known about what the document contains, though it's length suggests the Secret Service and Justice Department are making some headway in their investigation of the incident. Of course, the biggest challenge of all is finding those responsible; no arrests linked to the breach have been publicly reported. Source
15 Jan 14 Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter The seller of the point-of-sale memory dump malware allegedly used in the Target attack In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware. This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the cards magnetic stripe in the instant after it has been swiped at the terminal and is still in the systems memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants. Target hasnt officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack. BLACK POS On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache. According to sources, ttcopscli3acs is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was Best1_user; the password was BackupU$r According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls Reedum (note the Windows service name of the malicious process is the same as the ThreatExpert analysis POSWDS). Interestingly, a search in Virustotal.com a Google-owned malware scanning service for the term reedum suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, 30503 POS malware from FBI. The source close to the Target investigation said that at the time this POS malware was installed in Targets environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. They were customized to avoid detection and for use in specific environments, the source said. That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system. According the author of BlackPOS an individual who uses a variety of nicknames, including Antikiller the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones budget version of the crimeware costs $1,800, while a more feature-rich full version including options for encrypting stolen data, for example runs $2,300. THE ATTACK Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices. The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps. Its not clear what type of software powers the point-of-sale devices running at registers in Targets U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS). Targets Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future. WHO IS ANTIKILLER? A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB. Image: Securityaffairs.co Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware. In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the authors screen capture software which reveals a profile at the Russian social networking site Vkontakte.ru. Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous. One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target. Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first. http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware