Target credit card hack: Things are a lot worse than the last time we told you they were worse than we thought

by Bob Sullivan on January 17, 2014

WSJ.COM posted the iSight report (click to see it - PDF)

WSJ.COM posted the iSight report. This is a section of code allegedly from the malware.

The report that explains how Target’s credit card systems were hacked contains this chilling sentence: “At the time of discovery, the malware had zero percent detection rate, which means fully updated antivirus engines on fully patched computers could not ID the malware.” It was posted online by The Wall Street Journal (PDF).

Let me translate: There was no way to stop the hackers.  It’s beginning to sound like they might as well have stolen a printing press from the U.S. Mint.

The question that’s hanging in the air now is this: Where does it stop?  The software, loaded with powerful new techniques for scraping, collecting, and transmitting credit cards from retail stores, was made available for sale to credit card hacker groups. It works so well, it’d be stupid to think it hasn’t spread, like a virus, to plenty of U.S. retailers.  Whatever hacker group attacked Target attacked other retailers.  Other hacker groups bought the malware and used it for their own attacks.

Earlier this week, I reported that credit card hackers had access to Neiman Marcus credit card systems for longer than three months. Excellent reporting by Reuters now reveals that six more retailers have been warned their systems might have been infected.

The malicious software, sold as “Trojan.POSRAM,” is particularly crafty because it exploits a fundamental weakness in the way the credit card encryption works. Even if a retailer does everything right, and spends the money to encrypt account numbers whenever they are at rest, there is still a moment when the scrambled data must be unscrambled for processing.  Just as encrypted data is useless to hackers, it’s useless for computations, too – it must be unscrambled to be authenticated. POSRAM grabs the data during the instant it’s unprotected, when it’s in RAM, for processing.

iSight’s report on the malware, furnished to the Secret Service and posted by the Wall Street Journal, makes clear that the technique isn’t exactly brand new — it’s been used in Brazil at least as far back as 2009, and in Eastern Europe, too.  But it was new enough to retailers in the U.S. The question now is: How many of them have found the now-infamous winxml.dll file that’s hiding on their systems, gathering up our credit card numbers? And how many will be ultimately hear about?

Meanwhile, as I’ve suspected all along, there’s good reason to believe that the Target hack may have even impacted non-Target shoppers.  Net users are telling Consumerist.com that they’re getting e-mails from Target with offers of free credit monitoring, even though they’ve never shopped at Target or Target.com.  That means Target got the victims’ email addresses some other way — through a partnership, or by purchasing the data from a marketing company. Target isn’t yet saying.

It all means that the initial comforting caveat that as long as you didn’t shop at Target between Nov. 27-Dec. 15, you didn’t have anything to worry about — well, we’re very far from that now.  Before we’re done, this attack might touch half the households in America. Or more.  It’s a pretty good idea to take Target up on its offer of free credit monitoring. Here’s how. 

Sign up for Bob Sullivan’s newsletter. 

 

 

{ 2 comments… read them below or add one }

Billy Bob January 19, 2014 at 4:26 am

Target may have gotten the email addresses from an old partnership with Amazon: http://consumerist.com/2014/01/17/non-target-customers-wondering-how-target-got-contact-info-to-send-email-about-hack/

The part I really don’t understand and nobody has explained is WHY the encrypted financial info “…must be unscrambled to be authenticated” Who says so? Passwords on a computer systems are never unencrypted. The user input is simply run through the same key as the original, then the two scrambled results are compared. If the “scrambles” are the same, then the password must match! Why are pin numbers and acct. numbers any different? Why should they _ever_ need to be decrypted?

Reply

Mark Kedgley January 21, 2014 at 10:22 am

“At the time of discovery, the malware had zero percent detection rate, which means fully updated antivirus engines on fully patched computers could not ID the malware”

Unfortunately this is no real excuse, since anyone in the Information Security knows that Anti-Virus is fallible as a malware defense. AV systems work by quarantining any files that score a hit against a repository of signatures of known malware. AV systems will also attempt track known patterns of malware behaviour. In other words, AV is always working on old information. This means that Malware can be modified to side-step AV operation. A modified malware strain effectively becomes a brand-new, never before seen variant, leaving the AV blind to its existence.

But since it is well-understood that AV needs help, the security standard developed to protect card data – the PCI DSS – mandates other measures to block the loopholes left by AV.

PCI DSS Requirement 11.5 mandates that regular file integrity checks are run on all in scope systems. This is a simple but effective way to detect either new files or trojans, like the winxml.dll highlighted here. File Integrity monitoring or FIM can be operated in real-time to provide a continuous malware detection.

I have yet to see Target respond to any questions relating to their use of FIM.

Reply

Leave a Comment

Previous post:

Next post: