Security firm IDs malware used in Target attack
iSight describes Trojan as sophisticated derivate of older point-of-sale malware
Computerworld - A security company that worked with the U.S. Secret Service to investigate the data breach at Target identified the malware used in the attack as a sophisticated derivative of a previously known Trojan program designed to steal data from Point-of-Sale (POS) systems.
In a report released Thursday, iSight Partners identified the tool as Trojan.POSRAM, which it described as software that can find, store and transmit credit card and PIN numbers from POS systems.
The Trojan is being used in a "persistent, wide ranging, and sophisticated" cyber campaign dubbed KAPTOXA targeting "many operators" of POS systems, the company warned. Some affected companies may not yet know they've been compromised or have already lost data, the iSight report noted. It did not mention Target as the company that was investigated.
Tiffany Jones, the author of the report, described the POSRAM Trojan as a customized version of BlackPOS, a piece of malware that has been available in the cyber underground since at least last February.
Like BlackPOS, the POSRAM Trojan is designed to steal a card's magnetic stripe data while it is stored momentarily in a POS system's memory, just after a credit or debit card is swiped at the terminal.
After infecting a POS terminal, the malware monitors the memory address spaces on the device for specific information. When it finds something of interest, the software saves the data to a local file and then transfers it to the attackers at preset times. It then is coded to delete the local file to cover its tracks.
According to Jones, at least 75% of the code in POSRAM is similar to the code in BlackPOS. Where POSRAM differs is in the methods it uses to evade detection by anti-malware tools, said Jones, who is a senior vice president of client solutions and support at iSight.
At the time the code was discovered, even fully updated antivirus tools would not have been able to detect the malware. "This software contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics, concealing all data transfers and executions that may have been run, rendering it harder to detect," the iSight report said.
Because of the ongoing investigation, iSight is not able to disclose how the attackers have managed to install the malware on targeted POS systems, Jones said. But retailers who are concerned about their systems should get in touch immediately with the Secret Service, she said.
Target earlier this month disclosed that sensitive data on 40 million debit and credit cards and other personal information such as emails, phone numbers and full names of an additional 70 million people was compromised in a data breach that occurred over Thanksgiving.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency... All Cybercrime and Hacking White Papers | Webcasts