The attack on Target started with a compromised web server

Jan 16, 2014 08:13 GMT  ·  By

Target has recently admitted that the piece of malware used to steal its customers personal and financial details was installed on point-of-sale (POS) registers. The malware in question might be BlackPOS, a threat allegedly developed by Russian and Ukrainian cybercriminals.

The retail giant hasn’t provided any details on how the attackers breached its systems. However, a couple of sources close to the investigation have told Brian Krebs that the attackers initially compromised one of the company’s web servers.

From there, they managed to upload the malware to POS machines. They used one of Target’s own servers as a central point where all the stolen data was gathered. From that server, to which they had persistent access, they retrieved the loot manually.

A sample of the malware was uploaded to Symantec’s ThreatExpert.com website three days after Target learned that its networks were breached. Sources have told Krebs that when the malware was uploaded to Target’s systems, sometime before November 27, none of the antivirus engines from VirusTotal were detecting it.

The BlackPOS malware is not very sophisticated, but it can be highly efficient. The basic version is sold on underground markets for around $1,800 (€1,320), while the full version costs $2,300 (€1,700).

The threat is what’s known as memory-scraping malware. It’s designed to steal the information stored on a payment card’s magnetic stripe as soon as it’s swiped at the terminal.

Russian IT security firm Group-IB has been monitoring the activities of the group that appears to have developed the malware, particularly an individual that uses the online moniker “Antikilller.” From one of the demo videos published by the cybercriminals, experts have identified a Vkontakte.ru account.

The account in question has been linked to a group of Russians and Ukrainians.