Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target Credit Card Data Was Sent To a Server In Russia

Posted by Soulskill on from the really-just-a-misformatted-order-for-vodka dept.

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

20 of 137 comments (clear)

  1. POS by tompatman · · Score: 5, Funny

    Target's terminals are aptly named.

    1. Re: POS by Anonymous Coward · · Score: 5, Insightful

      Considering that the terminals in question were running un-patched, net booted XP SP2 WinPE instances with an old Java 4 version, the fact that there were attack vectors should be a long ways from shocking.

    2. Re: POS by Anonymous Coward · · Score: 5, Insightful

      Target doesn't really care. They had $100 million in cyber security insurance so most of the cost of this will be covered. AFA the public not trusting Target, well, it will pass quickly because the masses have a short attention span.

    3. Re: POS by ChromaticDragon · · Score: 4, Interesting

      I am curious regarding your information. Got source?

      Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

      Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.

    4. Re: POS by Megane · · Score: 5, Interesting

      The thing that bugs me most is that they were on a network that was routed to the entire internet. Yeah, I don't think a POS terminal needs to be able to check Google or Facebook, much less "chernyykhod.ru". Even simply putting them on a VLAN with a very restrictive firewall to the public internet would have avoided the problem. And a RFC-1918 network doesn't count if it's behind a NAT router, since these packets went outbound from the POS. Belt and suspenders.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    5. Re: POS by Anonymous Coward · · Score: 5, Interesting

      They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.

    6. Re: POS by jythie · · Score: 4, Informative

      It is also possible that their underwriters could claim that Target did not take due diligence in protecting its network and thus a full payout is not warranted. Insurance companies do not like being treated like a blank check to not take precautions.

    7. Re:POS by JoeMerchant · · Score: 3, Funny

      In Soviet Russia: Credit Cards -> Target -> YOU.

      Seriously, though, this means that the perps were able to setup a relay station in Russia. I would hope that a person/organization capable of this kind of operation would have the resources/foresight to relay data through several foreign countries.

      How embarrassing would it be for the Target data to have been heisted straight to young Matthew Broderick's bedroom? Even if something like that did happen, I'd expect the circulated news stories to tell tales of a massive, sophisticated, international syndicate of PhD hackers, who have now been arrested and jailed, or terminated by drone strike if they were hiding in uncooperative countries. Which story inspires more confidence in the safety of our financial systems? That is likely the story that will be told.

    8. Re: POS by mythosaz · · Score: 4, Informative

      Doesn't appear that way to me..

      The actual report on the software installed on the agent makes it pretty clear that the information was being gathered locally and forwarded internally to a collection point before being sent to Russia, like I suggested in previous threads:

      http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf

      The point of sale machines try to make a connection to \\10.116.240.31\c$\WINDOWS\twain_32 -- an obvious store-and-forward point on the network for exporting the card data otuside of Target. Hackers compromised this box, likely named ttcopscli3acs, since the credentials passed to 10.116.240.31 were ttcopscli3acs\Best1_user with a password of BackupU$r.

      It also made port 80 requests to 10.116.240.31 -- the server the hackers "owned" inside of Target.

      The rest of the breakdown only details the registry changes that happen when you install a service -- which was the install vector. There isn't a discussion of how the skimming/scanning/card-stealing software was distributed, but...

      IT WAS OBVIOUS THEY WERE ALREADY INSIDE THE NETWORK - they (p)owned servers - so it's a reasonable guess that they just deployed the software without needing any hole on the workstations.

      The twain_32 folder is one of those things that casual inspection would overlook - and obviously did.

  2. in soviet russia by Joe_Dragon · · Score: 5, Funny

    In Soviet Russia We Target You!

    1. Re:in soviet russia by bradgoodman · · Score: 3, Informative

      I only checked the posts here to read the impending "In Soviet Russia..." jokes.

  3. And the NSA Missed All Of This? by littlewink · · Score: 5, Interesting

    Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?

    A clear instance of international crime/terrorism and NSA was asleep at the wheel.

    1. Re:And the NSA Missed All Of This? by ruir · · Score: 4, Funny

      NSA is too busy reading their ex emails...

    2. Re:And the NSA Missed All Of This? by swb · · Score: 3, Interesting

      I keep asking myself why the NSA isn't more involved in large-scale financial fraud considering their ample abilities to sample international data networks and their likely considerable focus on Russia and the involvement of shady financial transactions in funding terrorism.

      In the case of Russia specifically, I would expect the NSA to be heavily involved in monitoring Russian hackers given the shadowy nexus of hackers, organized crime, ex-KGB agents, and the current FSB.

  4. PCI compliance? by NynexNinja · · Score: 5, Interesting

    Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

    1. Re:PCI compliance? by alen · · Score: 3, Interesting

      it's like SOX and HIPAA
      you do a lot of work "certifying' that things work according to someone's checklist and repeat next year

      they are nothing more than jobs programs for auditors and a get out of jail free card for everyone involved

  5. Traget outsourced IT operatations by Joe_Dragon · · Score: 3, Insightful

    Traget outsourced IT operatations and field work is subbed out as well.

    So maybe the IT people within the company that see the problems and may know how to fix them are so far apart form the people who work that team that they can't get stuff down or things are setup up that way so it's easier to sub work out vs locking stuff down and giving each Subcontractor there own logins / private email / info on the system.

    Using common logins / just giving the info contractors who then giving that info out to the subcontracts is easier and makes it easier to change firms on each level. But then that info may not get changes / ends in the hands of non tech people who may not give it the security it needs.

  6. It largely doesn't matter by Kardos · · Score: 3, Interesting

    I'm not going to defend Target for being embarrassingly sloppy, however, no matter how you look at it, it largely doesn't matter:

    a) It's a business decision to invest in cyber-insurance or cyber-security, they picked insurance. As technical people, we like technical solutions, but maybe insurance was the right choice.

    b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

    c) Everyone gets credit monitoring. If the credit monitoring is not snake oil, then it'll catch cc fraud that's not a direct result of this Target screw up. This may actually be a benefit. People who were dimly aware of how the cc system works will become informed. This is probably a net positive here.

    d) Awareness is raised about POS security; other companies who are running the similarly secured systems may be motivated to fix it. Another net positive.

    The only people getting screwed are Target (for operating a shit system) and/or the cc issuers (for permitting Target to run a shit system).

    1. Re:It largely doesn't matter by Solandri · · Score: 3, Informative

      b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

      Fraudulent credit card charges are paid for by the merchant who sold the goods to the fraudster. When you contest a charge, the credit card issuer does a chargeback and reverses the charges on the merchant who made that transaction. The merchant then has to try to prove the charge is legit (e.g. produce a signed receipt whose signature matches the cardholder's), or he is out both the merchandise and the money. The issuer pays nothing for fraud, except for small transactions where they may decide to credit the cardholder without reversing the charges on the merchant (the charge is deemed too small and not worth the expense of investigating).

      Your double-digit interest rate pays for other credit card holders who default on their bills. And to line the pockets of the credit card issuer.

  7. Re:Limiting outbound access to servers is too toug by trybywrench · · Score: 3, Interesting

    Unless I'm reading it wrong you're basically disabling webservices like making a SOAP call to a third party on behalf of the connecting user-agent. That's a non-starter for just about all companies that have at least one business partner.

    --
    I came to the datacenter drunk with a fake ID, don't you want to be just like me?