The attackers who infiltrated Target’s network several weeks ago and made off with 40 million credit and debit card numbers used a multi-stage attack, funneling their stolen data through an FTP server and then a VPS server in Russia. It took more than two weeks, but the attackers eventually exfiltrated about 11 GB of data, researchers say.
The Target breach has quickly made its way onto the short list of the largest data breaches in history, and details are continuing to emerge. Last week the company admitted that, in addition to the 40 million stolen card numbers, personal information belonging to an additional 70 million people also had been stolen. And earlier this week it was reported that the attackers accomplished their feat by installing malware on the point-of-sale systems at hundreds of Target stores. The malware appears to be a derivative of a previously seen PoS malware strain known as BlackPOS.
Researchers at Seculert in Israel have analyzed a sample of the malware used in the Target attack and found that the malware was on the network for nearly a week before it began sending stolen data off to an FTP server sitting on a compromised Web site. They transmitted the information from another compromised machine on the Target network, the researchers said.
“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information,” Aviv Raff, CTO of Seculert, wrote in an analysis of the malware.
The specific malware used in the Target breach is reported to have had the ability to intercept targeted sensitive data on compromised machines before it is encrypted. That feature would defeat the end-to-end encryption of data that retailers sometimes use to protect data collected on PoS systems that is then sent to a back-end server and possibly a payment processor.
“The attackers were using several components. One of the components has similar behaviors to BlackPOS, a memory parser PoS malware,” Raff said via email.
Raff said that despite speculation, he didn’t see any signs that the malware used in the Target attack was connected to the Neiman Marcus breach.
“While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack,” he said.