Black Friday 2013 was the beginning of a crazy shopping season for consumers and hackers alike.
Consumers snapped up holiday shopping deals across the retail spectrum and hackers snapped up the data from credit card magnetic strips. A good time was had by all.
Security experts have now begun to piece together the identities and methods of the actors behind the Target breach.
The stolen data began popping up for sale in black market underground chat rooms almost immediately, just like fresh caught fish that needs to be purchased and consumed it before it begins to stink!
Fearless former Washington Post columnist Brian Krebs, was the first to report on the breach. Krebs has been infiltrating and reporting on criminal activities in underground online chat rooms since 2005.
According to Krebs:
“Key information that informs some of my best scoops is just as likely to come from people actively engaged in cybercrime as it is industry experts working to fight fraud. So, once again, a sincere thank you to all of my readers — lovers and haters alike.”
The investigators’ reports are in. I’m a risk management guy, not a computer engineer so here’s a layman’s list of 9 steps revealing: “How the attackers did it”.
– The attackers deployed malware sold by a well known hacker nicknamed “Rescator”.
– The attackers hacked a server within Target’s own company to assist in the heist.
– The attackers installed malware at POS (Point of Sale) terminals inside Target stores.
– The attackers infected POS terminals and extracted card numbers and personal data.
– The attackers remained undetected inside the Target systems for 6 days.
– The attackers then transmitted the stolen information to an external server.
– The attackers hijacked a targeted website to begin receiving the stolen data.
– The attackers received data from intermittent transmissions over a 2 week period.
– The attackers used a server located in Russia to download the stolen data.
Other U.S. retailers are certainly holding their breath as the lawyers gear up to look for corporate culpability.
Bloomberg/Newsweek reporter Dune Lawrence had this to say in a recent article:
“From the smallest corner store to the biggest big-box retailer, pretty much anyone selling anything has to have what’s called a “point-of-sale” system for reading and processing customers’ credit and debit cards in our increasingly cashless economy. As a merchant, you’d better make sure shoppers trust that they’re not exposing themselves to identity theft and credit-card fraud every time they swipe. Even Target, a huge company with big bucks to spend on security, hasn’t managed to assure such certainty.”
Interestingly, investigators have now uncovered some of the actual passwords and usernames used by the fraudsters during the commission of the data heist. They even have a “selfie” (photo) shot by one the known suspects.
In mid-January 2014, two suspects believed to be part of a much larger fraud conspiracy, were arrested in Texas near the U.S. – Mexico border with 96 credit cards cloned with information stolen from the Target breach, according to law enforcement officials.
Although the methodology behind the Target attack is not unheard of, the scale of the attack certainly is. Mark Rasch, a former cybercrime prosecutor at the Justice Department says it’s like playing a game of whack-a-mole: “We catch one and a dozen more pop up.”
Dale Penn is a professional speaker, privacy advocate and commercial insurance broker. He is the author of the award-winning book, Identity Theft Secrets: Exposing The Tricks Of The Trade. Follow Dale on Twitter @DalePenn