According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.
Steinfhafel told CNBC’s Becky Quick in an interview that malware was used in attacks that compromised the company’s point of sale registers.
“While Steinfhafel said the full extent of what transpired is not yet known, what Target does know is that malware was installed on the company’ point of sale registers,” Quick wrote Sunday evening.
“Sunday (Dec. 15) was really day one. That was the day we confirmed we had an issue and so our number one priority was … making our environment safe and secure. By six o’clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk,” Steinhafel told CNBC.
“Day two was really about initiating the investigation work and the forensic work … that has been ongoing,”Steinhafel continued.”Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification.”
On Friday, high-end department store Neiman Marcus also said that customer credit and debit card information was compromised as a result of a recent cyber attack during a similar time frame to the attack on Target.
According to a report from Reuters, Target and Neiman Marcus may not be alone, as other popular U.S. retailers may have been breached during the busy the holiday shopping season.
“Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target,” Reuters reported, citing sources familiar with the attacks. “Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.”
According sources who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims.
Visa issued alerts about attacks utilizing these types of malware in April 2013(PDF) and again in August 2013(PDF).
After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.
Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’srandomaccess memory (RAM).
“The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.
“These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in random access memory (RAM). The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”
Visa first warned about these types of attacks targeting grocery merchants, but said merchant segment is vulnerable.
In April 2013, just days after Visa issued a warning of POS malware attacks, Schnucks Markets, a 100-store grocery chain across the Midwest, said that roughly 2.4 million payment cards used at 79 of its 100 stores were compromised as a result of a previously disclosed cyber attack.
In October 2012, Barnes and Noble said it suffered a data breach resulting in the loss of customer credit card data stemming from compromised point of sale terminals.
In May 2011, craft chain Michaels Stores reported that 90 PIN pads across some of its 995 stores nationwide had been compromised.
Attackers are also using anti-forensic techniques such as tampering with or deleting security event logs, using strong encryption or modifying security applications (e.g., whitelist malware files) to avoid detection, Visa said.
“As compliance with the PCI DSS expands, POS systems are increasingly eliminating the practice of storing prohibited data to system disks, thereby preventing attackers from readily obtaining stored data,” Visa explained. “The use of memory parser malware that parses data from volatile memory suggests attackers have successfully adapted their techniques to obtain payment data not written to POS system disks. This method of data extraction is of particular concern, since unencrypted data is commonly written to volatile memory during the transaction process.”
Early this month, US-CERT issued a warning to retailers about malware targeting point of sale systems.
Becky Quick’s full interview withTarget CEO Gregg Steinhafel is expected to air Monday (Jan. 13) at 6am ET on CNBC.
Related: Experts Debate How Hackers Stole 40 Million Card Numbers from Target
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Target Confirms Point-of-Sale Malware Was Used in AttackNeiman Marcus Confirms Payment Card Data Stolen in Data BreachTarget Data Breach Affected 70 Million Customers, Included Phone Numbers and Email AddressesYahoo Enables HTTPS Encryption by Default for Yahoo MailFireEye Looks to Build Cybersecurity Powerhouse With $1 Billion Acquisition of Mandiant