Krebs: Cheap, Crude but Effective PoS Malware Likely Responsible for Target Breach

Photo credit: Northfoto/
Photo credit: Northfoto/

Target has officially said that point-of-sale (PoS) malware was used in the attack – and has left it at that. Sources inside the company have now revealed that the likely culprit is a bare-bones crimeware offering called BlackPOS that can be had for as little as $1,800.

Target CEO Gregg Steinhafel confirmed in an interview with CNBC on Jan. 12 that the origin of the attack was, indeed, PoS malware.

Reuters then published a report that the specific type used was a memory-scraping malware, which captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal. As US-CERT explained, the data stored on the magnetic stripe is referred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account; it includes items such as the cardholder’s name as well as the account number. Track 2 data contains information such as the credit card number and expiration date.

From there, thieves can create legions of counterfeit cards.

Target has yet to comment on any of the further reports beyond its CEO’s statements on CNBC, and has released no further details on how the breach happened. But at least two sources “with knowledge of the ongoing investigation” have independently shared further information with security researcher Brian Krebs about the malware. To wit, they say that a PoS malware strain that Symantec calls “Reedum” managed to evade the 40-plus commercial anti-virus tools Target had in place to scan for malware on the systems. “They were customized to avoid detection and for use in specific environments,” the source told Krebs.

Reedum appears to be an alias for BlackPOS, a specialized PoS malware that is designed to bypass firewall software. It’s “relatively crude but effective,” Krebs said in a blog, noting that BlackPOS is sold in underground cybercrime forums for as little as $1,800, with a “full version” that has options for encrypting stolen data going for $2,300.

As for how the attack was carried out, most security experts have expected the heist to turn out to be the work of an insider gaining access to Target internal servers and from there uploading malware to PoS systems across the country. Sources confirmed part of the attack details to Krebs:

“According to sources, the attackers broke in to Target after compromising a company Web server,” he said. “Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.”

The source told him, “The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps.”

We reached out to the retailer for comment on this story. A Target spokesperson told Infosecurity that "due to the ongoing nature of the investigation, I don’t have additional details to provide at this time."

What’s hot on Infosecurity Magazine?