Heartland, TJX Attacks Look Sadly Familiar

The news that federal authorities have indicted the man they claim is responsible for the TJX attack for also allegedly hacking into the networks of Heartland Payment Systems, 7-Eleven and the Hannaford Brothers grocery chain shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated.

The news that federal authorities have indicted the man they claim is responsible for the TJX attack for also allegedly hacking into the networks of Heartland Payment Systems, 7-Eleven and the Hannaford Brothers grocery chain shows that law enforcement is indeed stepping up its work on cybercrime. But it also provides what is probably the clearest evidence to date that the people executing these attacks are highly competent, organized and motivated.

If you missed it, a New Jersey grand jury on Monday indicted a man named Albert Gonzalez for the attacks that resulted in more than 100 million credit and debit card numbers being stolen from Heartland, 7-Eleven and Hannaford. The interesting part of this is that Gonzalez already is in hot water with the federal government for his alleged role in the attack on TJX. Gonzalez is awaiting trial on charges related to the TJX attack and has been a confidential informant for the Secret Service for some time.

Apparently some of his work with the Secret Service involved Gonzalez giving up his alleged co-conspirators on the Heartland attack, two unnamed hackers. It’s unclear exactly who did what to whom, but that’s really beside the point. Those are technicalities that really only concern the prosecutors and defense attorneys.

What IT security teams and other interested parties should be concerned with are how these attacks happened and the level of organization and professionalism involved. The how seems to have varied from incident to incident. The TJX attack allegedly was the result of an attacker sitting outside one of the company’s stores, sniffing the wireless network traffic and then going from there. In the more recent attacks, the vector apparently was SQL injection, the current weapon of choice for discriminating attackers everywhere. In the indictment, authorities say that in the cases of Hannaford, 7-Eleven, Heartland and a couple of other unidentified companies the attackers used SQL injection to get into the networks and then planted malware.

All of this was done after the attackers had done some serious advance legwork, both on the Web and in the real world. From the indictment:

“It was further part of the conspiracy that GONZALEZ and P.T. would travel to retail stores of potential corporate victims, both to identify the payment processing systems that the would-be victims used at their point of sale terminals (e.g., “checkout” computers) and to understand the potential vulnerabilities of those systems.”

In other words, this was not something that this group did on a lark. They put a considerable amount of time and effort into this plan. They knew what they were looking for, they knew where to find it and they knew how to get it. And once they had their plan in place, it appears that their targets made it all too easy for them to succeed. SQL injection vulnerabilities are a pervasive and insidious problem, but they’re also well-understood and there are effective methods for finding and fixing them.

As Rich Mogull of Securosis points out, the method of attack was simple, familiar and preventable.

But, as the recent waves of mass SQL injection attacks against legitimate Web sites show, there are hundreds of thousands, if not millions, of sites out there that are ripe for compromise. This is simply more reinforcement for the old axiom that the good guys have to get everything right in order to succeed, while the bad guys only need to get one thing right in order to succeed.

So the question now is, what, if anything, have IT security teams learned from these attacks? Unfortunately, the answer may well be: nothing. SQL injection is not a revolutionary new technique that caught everyone by surprise, nor is it news that attackers are focusing on high-value targets, such as retailers and payment processors, which have a large volume of financial transactions crossing their wires.

Obvious targets, common techniques and predictable results. Perhaps the detailed post-mortem of these incidents will provide us with some new lessons from all of this, but in the meantime it all looks depressingly familiar.

Suggested articles

NYT Goes Deep On Albert Gonzalez Story

You might think everything that needed to be said already has been said about Albert Gonzalez, the mastermind behind the largest public computer security breaches in U.S. history. But the lengthy and up close account of Gonzalez in the New York Times today shows that there are more layers to what is, perhaps, the most spectacular hacking case in recent memory.

Discover Will Receive $5 Mil from Heartland Breach

Heartland Payment Systems has agreed to pay $5 million to Discover to
settle claims arising from the massive data breach disclosed by the
payment processor last year. Read the full article. [Computerworld]

Heartland Settles with MasterCard

Heartland Payment Systems has made a third
settlement deal, this time with MasterCard, related to a massive data
breach two years ago at the card payments processor. As part of
the deal, Heartland has agreed to pay as much as $41.1 million to
MasterCard issuers that lost money. Read the full article. [IDG News Service]

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.