Friday, January 10, 2014

Escalating Target data breach (110M and *ulp* rising) exposes major security threat of POS malware, botnets

USA Today reports that Target says its data breach has now reached 110 million customers who had personal information stolen in it is credit/debit card data breach, escalating numbers from previous estimates of 40 million, and then, 70 million cards affected.

TechRepublic's Michael Kassner has the additional reporting: PoS malware and botnets abound.

As reported by Kassner:

Some fallout from the Target data breach has been the acknowledgment that PoS systems are under attack. This US-Cert bulletin from January 2nd mentions:

“For quite some time, cyber criminals have been targeting consumer data entered in PoS systems. In some circumstances, criminals attach a physical device to the PoS system to collect card data. In other cases, cyber criminals deliver malware which acquires card data as it passes through a PoS system.”

The US-Cert quote is an opportunity [...] to introduce Dexter. The PoS malware referenced in the bulletin. Researchers, with Arbor’s Security Engineering and Response Team, in early 2013 discovered servers hosting Dexter.

Dexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and two data I mentioned earlier. At a certain point, the infected machine sends the captured data to the attackers’ command and control server. After which the criminals are free to use the information to clone new cards. The unfortunate thing is that as of yet, no one understands how the malware makes its way into the PoS system.

[However], it seems the bad guys are not content with their success, deciding to bring their game to the next level—PoS botnets.

This from ArsTechnica:

“Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target PoS terminals.”

Dan Goodin in the ArsTechnica post mentioned that Dexter went through a major revision, and now incorporates botnet malcode. Grouping all the infected machines into a botnet is beneficial in that it allows the bad guys to monitor, in real time, the goings on of all the infected machines. It also allows the bot masters to issue commands that immediately propagate to all member bots. To put it simply, using botnet technology helps the bad guys steal more money, while improving their odds of avoiding detection.

No comments: