BlackPOS credit card

After the attack on the Soviet pipeline and the contamination of drinking water… Season 2 of The Sentryo Files continues to explore the realm of cyberattacks with the massive attack waged on a major American retailer, Target.

40 million PIN numbers were stolen through unprotected remote access

Between November and December 2013, Target’s POS terminals were breached and, as a result, 40 million credit and debit card numbers and 70 million records of personal information were stolen.  The attackers were able to carry out the attack by taking advantage of unprotected remote access via the network of a heating and air-conditioning service provider. They used social engineering techniques and installed a RAM-scraping malware capable of collecting data stored in the RAM.

The different stages of the attack

First, a targeted attack was waged against the heating and air-conditioning company to hack into their system and gain access to login credentials to Target’s internal network. The hackers then sent an email with an infected attachment (spear phishing) in order to take control of the system.

After gaining access to Target’s POS terminals by rebounding off the industrial network, the hackers were able to install the BlackPOS malware and intercept PIN numbers on the fly.  This data along with customers’ personal information was then stored on a compromised internal server. The PIN codes and customer data were finally exfiltrated to an FTP server located in Russia.

The BlackPOS malware, also known as Reedum or Kaptoxa, was created and marketed in 2013 by a young Russian hacker and it was specially designed to attack POS terminals and steal financial data.

Serious consequences

When the data breach was made public, Target suffered major value losses in its stock market shares and its CEO was fired. Information from the 40 million stolen cards was then peddled on black market forums.

BlackPOS: various security flaws were to blame for the data breach

In a report analyzing this incident, the US Committee on Commerce, Science and Transportation pointed fingers at the numerous security flaws that Target had neglected to resolve and which allowed this cyberattack. According to this committee, Target could have stopped the attack on multiple occasions and prevented this massive data breach.

Target’s errors
All the alerts from the security systems were ignored. Target’s intrusion detection system, FireEye, issued several warnings when the attackers penetrated the network and then again when the data was exfiltrated. The antivirus software, Symantec, also detected malicious behavior and issued an alert that also appears to have gone unheeded.

Protecting yourself against this type of attack

Various lessons can be learned from this massive cyberattack. Integrating a building management system into the company’s general security governance is an essential prerequisite for ensuring network security. In fact, Target’s internal network was penetrated via an external provider whose security system was non-existent.

Internally, various measures could also have enabled heads of information system security to provide protection against the cyberattack:

  •     Establish measures for effective protection that go above and beyond mere conformity with regulations in force.  Target had just obtained PCI-DSS certification (Payment Card Industry Data Security Standard), which obviously was not enough to block the BlackPOS attack.
  •     Implement strong authentication methods for remote access: the attackers were able to access data because of standard access to the external billing system.
  •     Contain the network in order to protect sensitive areas and prevent the horizontal spread of infections into the industrial network.
  •     Engage in technology intelligence to be aware of the flaws detected on POS systems: Visa had published a warning bulletin several months prior to the attack but no corrective measures were applied.
  •     Implement cybersurveillance technology to effectively monitor the alerts issued by detection tools on your information system: the attack on the POS terminals would most likely have failed if the FireEye and Symantec warnings had not been ignored.

This cyberattack once again shows how important it is for companies to control access to their networks  and effectively monitor unusual activity. Monitoring your systems is essential especially when you are dealing with sensitive data such as PIN codes. It is also important to build awareness among your employees about the different techniques used to carry out malicious activities. And we know just the person to turn to for great advice on the subject: Rachel Tobac, a white hacker specialized in social engineering!