The cybercriminals that infiltrated the systems at retail giant Target used a customized version of standard point-of-sale system malware and other standard tactics that aim at organizations' common weaknesses, according to a new threat report issued by McAfee.
The report, issued this week, highlights the threat landscape for the fourth quarter of 2013. It sheds light on an industry notorious with meeting annual compliance requirements and not necessarily running an ongoing security program, say solution providers who predict a surge in interest from large and small retailers in security technologies. The Payment Card Industry Data Security Standards, which set out minimum security standards in the retail industry, is now in its third iteration and not necessarily driving adoption of new security technologies, they say.
McAfee's report said cybercriminals did a classic job of gaining access to Target's custom-built POS application. The attackers partly used stolen account credentials from Target's third-party heating and air conditioning firm, to gain access to the retailer's mixture of IT systems.
Several customizations to the BlackPOS malware allowed specific behavior within Target's environment, McAfee said. The initial penetration into the company's systems enabled attackers to gain details regarding Active Directory domain names, user accounts and IP addresses of SMB shares, which were hard-coded into scripts that were dropped by some of the malware components, McAfee said.
The McAfee report downplayed the sophistication of the POS system attack, calling the threat generally easy to carry out. BlackPOS source code has been leaked multiple times and is as available and customizable as Zeus and other classic banking Trojan families and automated exploit toolkits, McAfee said. Last year, McAfee highlighted the vSkimmer Trojan, another readily available tool, which is designed to detect credit-card readers and steal data from the Windows systems that support them.
"We must recognize that this class of attack is far from 'advanced,'" McAfee said. "The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality."
The Target breach resulted in millions of stolen credit and debit cards and the theft of sensitive account data on millions of its customers. The company announced the departure of its chief information officer last week. Other retailers are investigating attacks, including Neiman Marcus and Michaels Stores. McAfee pointed to other POS system attacks in 2013 against Harbor Freight, Wichcraft and Easton-Bell Sports. McAfee and other security vendors consistently point to attackers targeting weaknesses in remote management applications used to manage POS systems. The systems also often contain default or weak passwords, which can provide easy access in brute-force attacks.
Target and other high-profile retail data breaches have increased awareness about security and prompted conversations about how to address potential risks, said Russell Temple, director of the data center practice at Tempe, Ariz.-based service provider Insight Enterprises. Temple said he doesn't anticipate retailers racing to deploy new technologies.
"There's certainly more sensitivity about the topic and now something that will come up in conversations in that vertical," Temple told CRN. "It's something that customers make a midyear initiative or potentially major focus in 2015 if some of these threats keep happening in the first part of the year."
Jason Livingston, CEO of Bloomington, Minn.-based Intuitive Technology Group, said the conversation with retailers about security has intensified. Some firms are interested in hearing about critical systems protection, data loss prevention and other ways to quickly detect potential attacks, Livingston said.
"If they do the analysis, they'll see that the cost of cleaning a breach up and managing the PR can be astronomical," Livingston said in a recent interview. "It's hard with the Target breach to figure out what correct tools in place would have prevented the breach, but retail security is turning into a real hot one right now."
PUBLISHED MARCH 10, 2014