RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.
New card data breaches were discovered by RSA Security. Memory scraping malware was used to steal card data from multiple merchants in the US and abroad.
0 Comments
There are multiple messages about possible card data breach at Michaels Stores Inc. It would be interesting to know whether it's RAM scraper again or they have invented something else for a change. Besides the POS memory, there are at least 3 additional major areas (and many "sub-areas") of payment application vulnerabilities that can be easily exploited, even if the system is PCI compliant. The Target breach affected Canadian customers as well, although Canadian Target stores are equipped with different point of sale (Retalix 10) and payment (Retalix Connected Payments) software supplied by Retalix (now NCR). Probably, they did not manage (or did not bother) to secure the PII (Personally Identifiable Information) as they were focused on security of payment data. Note that PCI data security standards do not contain any requirements to protect the PII. In addition to the POS/payment software different from the US stores, take into account that magnetic stripe payment cards, which were the target during the Target attack, become a rarity in Canada after the EMV migration. As rightly noted in this article, PCI data security standard promoted by major credit card brands are proven to be useless. However, there is an existing technology that could save Target and other breached retailers if they had implemented it. It's called P2PE (Point-to-point Encryption) and it's well known to payment security professionals. In fact, Target started implementing P2PE but they were too late... Although the preview of the Hacking Point of Sale book is still not available on Amazon and other bookseller websites, the Contents at a Glance can be found here. What we know now for sure is that the Target breach was performed through the attack on point of sale machines using RAM scraping malware. Memory scraping technique is pretty simple. Usually, the RAM scraper selects and scans particular process that belongs to POS or/and payment application. The names of these processes are well known string constants. The card data is filtered out from the memory stream using special technique called regular expressions, or regex. I describe all this in detail in my forthcoming book Hacking Point of Sale. The book also contains code examples of RAM scraper as well as disk and network scanners. There are different and sometimes confusing messages regarding the specific malware used to steal card data from Target stores. Some of them name KAPTOXA as the malware responsible for the attack and reference iSIGHT Partners report. I haven't seen this report so I can't say KAPTOXA directly related to target breach. First time I heard and wrote about KAPTOXA back in May 2013. Interesting fact: the word "KAPTOXA" consist of letters which look the same in both Latin and Cyrillic alphabets, although some of them stand for sounds. If you read this word as Cyrillic letters, it is Russian slang word meaning “potato”. However, I would rather trust McAfee blog which states that the actual malware is “BlackPOS” which contains string "Rescator" which links it to Russian hackers. It is unclear at this moment whether there is any link between KAPTOXA and BlackPOS. According to Reuters, Target's credit and debit card data was stolen using RAM scraper. I warned of the danger of RAM scrapers in my previous posts, and I dedicate a lot of attention to memory scraping in my forthcoming book about credit card fraud and payment application security - Hacking Point of Sale. Today, memory scraping is most effective way to steal sensitive cardholder information from point of sale machines, which works perfectly even if the software is PA-DSS validated and the merchant is PCI DSS compliant. It is unclear whether the Newman Marcus incident with stolen credit cards is related to recent series of attacks on US retailers including massive Target breach. Regardless of whether it's done by the same group or different individuals, new breach is not surprise per se, and it's definitely not the last one. Based on grim state of security in payment card industry (or more precisely - complete lack of security), we should expect more and more similar events in the near future. While mass media are overflown by duplicate information about Target breach, there are other card data breaches that are taking place silently as we speak about Target event. This fact confirms that the Target breach is not exception because PCI data security standards are ineffective, and credit/debit card payment processing technology is insecure by design. Affinity Gaming card data breach LAS VEGAS, December 20, 2013 - Affinity Gaming ("Affinity") has confirmed an unauthorized intrusion into the system that processes customer credit and debit cards for its casinos, and is issuing this public notice of the data security incident and encouraging individuals who visited its gaming facilities between March 14th and October 16th of 2013 to take steps to protect their identities and financial information. Briar Group card data breach December 27, 2013 by admin To our valued customers: As you may be aware, in mid-November a number of residents and visitors to the Boston area learned that they were the victim of credit card data theft. As soon as the Briar Group became aware that our restaurants – and therefore our customers – may have been a target of this crime, we undertook an immediate investigation into this issue. Today we are reporting that the Briar Group’s systems were indeed infiltrated. The investigation remains active and ongoing, but there are some things that we can tell you now. |
Books
Recent Posts
Categories
All
Archives
March 2023
|