Target Malware: Exploring the Origins

Researcher Describes the Alleged Russian Connection
Dan Clements

More retailers are falling victim to data breaches linked to malware, so it's urgent for merchants, as well as other organizations, to take key steps to secure their networks, says Dan Clements, president of IntelCrawler, a cybercrime intelligence firm.

IntelCrawler discovered the malware, known as BlackPOS, that was used to breach Target Corp.'s point-of-sale systems.

Clements says his company has discovered six more retailers who may have been breached using the same malware. And he says merchants, banks and other organizations need to be watching their network traffic for suspicious activity.

"You have to watch for attacks against not only your customers, but against your key employees," he says in an interview with Information Security Media Group (transcript below). "They're being targeted right now, so you just have to be diligent. You have to have security resources in place, increase budgets and be preemptive. It means you have to go out into the underground and look at the intelligence of what's going on."

During this interview, Clements also discusses:

  • Where the Target malware originated;
  • How malware aimed at retailers is evolving on a daily, even hourly, basis;
  • Why attacks against employees have to be taken more seriously.

Clements is president and co-founder of IntelCrawler, a cybercrime intelligence firm. He started his Internet career in the late 1990s when he co-founded, a company that scanned underground forums for compromised exploits, credit cards and personal identifiable information. He later founded another Internet company known as before becoming a managing partner at Group-IB. In 2013, he co-founded IntelCrawler.

Target Malware: Exploring the Origins

TRACY KITTEN: What can you tell us about Black POS's roots?

DAN CLEMENTS: Well, the Target investigators are the ones that named the Black POS as the possible malware program that stole credit cards.It was just ironic that we had done some research on it early in 2013. At that time, we saw a young man in Eastern Europe offering the program for sale, basically trying to get $2,000 for the program in the underground.

KITTEN: Why is IntelCrawler so sure that the Target and Neiman Marcus network intrusions resulted from Black POS or some variant of it?

CLEMENTS: We're not sure that Black POS was used. I think one of the Target investigators named Black POS as the possible culprit. But clearly, the program can do what was attacked at Target.It can grab credit cards in RAM and fire them back to a server controlled by the bad boys.

Malware Author

KITTEN: How can you be so sure that the author is in fact this teenager who's based in Eastern Europe?

CLEMENTS: Well, first of all, no one is 100 percent sure about cybercrime. To do that, you have to have a camera behind the keyboard when someone commits a crime. So what we have analyzed are all the cyberprints of this young man; his IP addresses, e-mail accounts, social media accounts. As you put the cyberprints together, it raises the probability that this young man was the original author behind Black POS.

KITTEN: Does it appear that he sold the malware and helped to wage attacks against Target and Neiman Marcus?

CLEMENTS: He was the originator offering it for sale, or offering to let it be downloaded by his cohorts where they would share in the profits. Early in 2013, we saw his postings trying to market Black POS. It is highly probable that either he or one of the people that downloaded Black POS is probably behind the Target and Neiman Marcus attacks.

KITTEN: Have other individuals or groups been linked to these attacks?

CLEMENTS: There's a whole niche in the underground of people who are going after point-of-sale systems at merchants.We're tracking about nine different people that know how to scan and get into the merchant systems. They know how to load in the Black POS system, how to get the cards out, and at this point, they're also trying to decrypt the PIN numbers that they grabbed.

KITTEN: What kind of information has your company collected to support that PINs were decrypted during the breach?

CLEMENTS: We have found multiple strings of the encrypted PINs from multiple sources, all trying to decrypt the information. So there's a lot of activity; they're posting the script, asking for decryption, and claiming that if they can decrypt them, they can all get rich.

Six Other Retailers Compromised

KITTEN: What can you tell us about IntelCrawler identifying six other retailers that appear to have been compromised by Black POS?

CLEMENTS: We did find six open sites that were being floated in the underground with logins and passwords. We forwarded those on to law enforcement so that they can investigate whether or not the merchants were actually breached, and possibly try to find who the bad actors are.

KITTEN: So when you say six open sites, you're referring to IP addresses; is that correct?

CLEMENTS: That is correct.

KITTEN: How reliable is it to look at IP addresses and say they're linked to an attack?

CLEMENTS: If they publish IP addresses with logins and passwords to merchant systems, it's highly probable that somebody went in and analyzed to decide whether or not they wanted to load in a piece of malware like Black POS. Did we actually go into the system to see if credit cards were taken? No. But we forwarded all of the cyberprint information to law enforcement.

KITTEN: Can you say which retailers or additional retailers have been targeted?

CLEMENTS: We don't know the actual names because that's really not our space; we're just looking for an open device or open IP that the bad guys have possibly targeted. We forward that information to the people that do the investigation.

Security Recommendations

KITTEN: Is IntelCrawler at all involved with some of the Department of Homeland Security research?

CLEMENTS: No, not at all.

KITTEN: Have some of your own findings perhaps supported some of what appears to be in the DHS report?

CLEMENTS: I don't know exactly what's in the DHS report, but our recommendations are very similar to everybody's in the security industry: Lock down those systems, comply with PCI and make sure you're monitoring network traffic. But our biggest recommendation would be for these merchants to increase their IT security budgets. The people that are doing the security don't have the resources and tools to prevent all of the attacks that are coming minute by minute.

KITTEN: What other types of malware have been identified by your company, and how do they pose a risk to retailers?

CLEMENTS: We posted on our website information about a new piece of malware called Decibel that in theory does the same thing as Black POS As anti-virus programs are figuring out what is an actual program that may grab credit cards and RAM, the bad guys are just going to make a right turn and come out with another program. We're constantly monitoring for those types of exploits in the underground.

KITTEN: What happens with this particular individual who's been identified as the author of Black POS? What do you expect the next steps to be?

CLEMENTS: In Eastern Europe it's very hard to get handcuffs on cybercriminals, and it's almost impossible to get them extradited. I would say the odds of getting somebody that was behind the Black POS attack, if they are in Eastern Europe, are about the same of us getting Snowden back. It's just very difficult; and sometimes even when we do know who the criminals are, they may have protection from state-sponsored government agencies.

KITTEN: What role do the card brands play here?

CLEMENTS: They're trying to facilitate a very secure financial industry where we can all use credit cards at retailers. I think the fraud rates are under control, I think there will be more attacks, but we just have to be diligent. We have to watch our accounts. Even though we're not liable, we have to watch for that $1 charge on a credit card.The attack is going to come; you just have to watch for the tip of the iceberg.

Key Takeaways

KITTEN: What would are some of the key takeaways for banks and retailers?

CLEMENTS: The takeaways are, you have your people watching network traffic. You have to watch for attacks against not only your customers, but against your key employees. They are being targeted right now, so you just have to be diligent. You have to have security resources in place, increase budgets, be preemptive; which means you have to go out into the underground and look at the intelligence of what's going on. You have to be on your game, and a lot of banking institutions and card associations now have intelligence teams that are going beyond the castle's walls to find that intelligence, so they have a preemptive plan against the attack.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.