March 24, 2014
Reports on strings of point-of-sale (POS) attacks on a number of retail chains in the United States began to surface during the holiday season of December 2013, placing millions of consumers’ credit card information and identities at risk for theft. Most prominently in the headlines was Target — a POS attack that has been ranked as one of the largest data-loss occurrences in history. Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, Michaels Stores, and ‘wichcraft all reported similar POS breaches in 2013.
While there is no public record proving that these attacks maintain the same origin, a large portion of them were executed from cybercriminals who purchased off-the-shelf, ready-made malware. POS malware is not a new development, yet there has been a significant spike in the malware families POSCardStealer, Dexter, Alina, vSkimmer, and ProjectHook, most of which can be purchased online.
McAfee Labs has pinpointed that the specific malware used to breach Target security was BlackPOS — a ready-to-deploy exploit kit for sale online that can easily be modified with little programming or malware knowledge. The source code for BlackPOS has also been leaked online, which allows cybercriminals easier access to the malware.
McAfee Labs researchers know that Target uses a custom-built POS security system, which is critical information since a custom-built system is typically more difficult to breach. Cybercriminals would usually learn the infrastructure of a company’s POS system offline by using available leaks of other commercial POS applications prior to deploying an attack. Although BlackPOS is an easy-to-deploy malware, numerous customizations were made to it prior to the attack that made it easier to infiltrate the Target system. Details related to Active Directory domain names and user accounts were copied and transferred to remote servers by some of the malware components. Moreover, the script sent back to the cybercriminals’ servers was done so unencrypted, meaning it was sent in plain text from the point of inception back to the server storing stolen information. The Target POS breach is the only retailer that McAfee Labs has confirmed was hacked by BlackPOS.
Of the near 40 million credit card numbers that were stolen in late 2013, McAfee Labs researchers have traced many of them to large lots, or key “carding” marketplaces online and available for purchase. Typically, cybercriminals are able to buy these credit card numbers in bundles that range anywhere from 1 million to 4 million card numbers at a time.
Lampeduza Republic is one example of the various credit card black market sites on the dark web. The site relies on a well-organized hierarchy that provides for a smoothly functional marketplace. The sales on Lampeduza are quite active, and some have contained stolen credit card numbers tied to the recent POS retail attacks.
While the long-term consequences of the 2013 POS attacks is unknown, these breaches will likely soon prompt changes to security approaches and compliance requirements. Moreover, the main lesson learned is that the rapidly growing cybercrime industry played a major role in enabling the POS attacks and will likely not decline in popularity among thieves anytime soon.