Seculert research reveals that it wasn’t the source of the point-of-sale (PoS) attack on Target. According to a December 19 statement released by Target, over 40 million credit and debit card accounts may have been compromised over a 2 week period, beginning November 27
Target had only just begun to see the extent of the damage. And based on information shared by Krebs in a January 14 report updating us on the massive data breach, we were able to identify a sample of the malware.
Seculert’s Research Lab ran the sample of the malware and discovered that unlike Dexter, this attack had 2 stages, which is a well known attribute of an advanced threat.
The malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.
On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period.
Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.
While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.
Target had only just begun to see the extent of the damage. And based on information shared by Krebs in a January 14 report updating us on the massive data breach, we were able to identify a sample of the malware.
Seculert’s Research Lab ran the sample of the malware and discovered that unlike Dexter, this attack had 2 stages, which is a well known attribute of an advanced threat.
The malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.
On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period.
Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.
While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.
No comments:
Post a Comment