1000s of Retailers Could Be Facing a Data Breach

[SlayerOfHellWyrm]

Point of Sale malware is nothing new, and one such malware, KAPTOXA, was responsible for the data breach of retail giant Target back in 2013. This kind of malware is aimed at P.O.S. systems such as cash registers, and the pin/card pads typically attached to them. As customers swipe their cards, and enter their PINs into these systems, for an incredibly brief moment, this data is unencrypted, until it has passed through the RAM. Malware like KAPTOXA, and the recent headliner, Backoff, target this unencrypted data as part of their code, via RAM scraping, and once they have collected it, send it to the desired location, typically the hackers, to then be sold off. Backoff, also happens to monitor and log keystrokes, executes command and control communication, and injects malicious code stubs into explorer.exe files. These last 3 things, are common to most malware, as they are designed to give it as long a lifespan as possible on the target system, and allow it to send data back to a home server where it can be sold off.
 
Back on July 31st, the US Computer Emergency Readiness Team released an alert about the malware dating back to it's initital detection in October of 2013. This alert sums up more about how Backoff works, and how it's infecting systems, so give it a read. Anyway, since that initial alert was released, major retailers began to audit their systems to search for signs of infection since typical anti-virus software has had an incredibly low detection rate thus far, of low to 0%. On August 20th, UPS came forward and admitted they had a data breach via Backoff of 51 of their franchise locations, a mere 1% of what they have. Yesterday, August 22nd, and Infection Assessment was released jointly by the US Department of Homeland Security, and US Secret Service after it had been found out that 7 major POS vendors had been infected with this malware, and 1,000s of retailers as a result could be affected.

Since the malware is being installed via brute forcing remote desktop applications using publicly available tools, retailers are being urged to educate employees, provide approved methods of remote access, and to perform network audits to detect open ports for remote access services, and to close those ports, and turn the services off. So far, only UPS, and SuperValu have confirmed any breach/infection but due to the low detection rate of anti-virus software for Backoff, the inherent weak security of magnetic strips and the indiscriminate target choice (both enterprise networks, down to small business networks have been targeted it appears), there's surely many more affected retailers and businesses though few are likely to come forward after the backlash Target received following its data breach in 2013.
 
For now, I'd keep your eyes and ears peeled as the story unfolds, and more retailers/business come forward. Who knows how many people could have been compromised this time, and how large the extent of damage could be. This could possibly be the largest data breach in history, depending on how many companies actually come forward, whether large or small.
 
NOTE: The full DHS/SS report is 10 pages, however I could not find the full report anywhere, simply the summary. If anyone finds a link to the full report, post it, and I'll gladly give you credit. As well, this is my first new post on here, and ever, so cut me a bit of slack as my "journalism" skills are sorely lacking.

http://www.pcworld.com/article/2598140/us-warns-significant-number-of-major-businesses-hit-by-backoff-malware.html
http://www.tomsguide.com/us/ups-malware-spread,news-19375.html
http://bits.blogs.nytimes.com/2014/08/22/secret-service-warns-1000-businesses-on-hack-that-affected-target/?_php=true&_type=blogs&_r=0
http://www.zdnet.com/us-warns-of-backoff-latest-entry-into-pos-malware-market-7000032240/
https://www.us-cert.gov/ncas/alerts/TA14-212A
https://www.documentcloud.org/documents/1279345-secret-service-malware-announcement.html

 

Update: [8/24/2014]

An estimated 100,000 customer transactions from January-August were compromised in the UPS breach.

Link to affected stores: http://www.theupsstore.com/security/Pages/default.aspx

Link to affected SuperVaul stores: http://www.supervalu.com/content/dam/supervalu/Store%20List.pdf

 

Update [8/30/2014]

It appears in some instances Backoff is showing up as javaw.exe, in the Oracler Java directory. Most POS systems do not need Java, so this could serve as an indicator of infection

Data from keylogging, and for stolen PINS, etc, is forwarded back to malicious servers every 60 seconds.

http://www.eweek.com/security/slideshows/why-backoff-malware-is-such-a-big-threat-to-retailers.html

[colonel_mortis]

Ouch! Does this only affect retailers using the magnetic strip (ie. only retailers in the US), or can it affect Chip&Pin devices as well (thus be a major worldwide problem)?

[SlayerOfHellWyrm]

Ouch! Does this only affect retailers using the magnetic strip (ie. only retailers in the US), or can it affect Chip&Pin devices as well (thus be a major worldwide problem)?

I haven't found a mention of it, but I imagine they are also targets since all the data transmitted via the cards in unecnrypted until it has been passed through the P.O.S.'s RAM. If I can find the full 10 page DHS/SS report, I might be able to give more information to that. Mag strip use still happens all the time in Canada and many other countries that have chip and pin as well, since chip and pin can sometimes just flake out, or the POS system for whatever reason doesn't want to work with it on occasion.

[SlayerOfHellWyrm]

Bump for exposure

[Trik'Stari]

Does this affect newegg? God I hope not.

[Misanthrope]

Great so now that I get all panicky knowing ATMs are running on motherfucking Windows XP what can I do if the alternative is swiping a card on a weak PoS terminal....that's likely also running XP anyway.

I need a bigger mattress.

[SlayerOfHellWyrm]

Great so now that I get all panicky knowing ATMs are running on motherfucking Windows XP what can I do if the alternative is swiping a card on a weak PoS terminal....that's likely also running XP anyway.

I need a bigger mattress.

Alas, for now we can only sit and wait to see who comes forward, and what evolves from all this. I'm monitoring things online to see new articles, and so on that get published, so I'll post any new updates I come across as I find them, if I find them. Personally though, for the time being, I am not touching PoS systems, cash for everything!

[flibberdipper]

Damn...

[SlayerOfHellWyrm]

Updated with:

1. SImple graphic
2. Approximate number of affected UPS customers
3. Link to affected UPS and SuperValu stores

[StingBull]

I don't know what hackers do with thousands of peoples credit card data. Like when PSN was hacked, what did they do with the data? Buy Lambos? Card holders would just cancel the transaction. What use is this massive data?

[SlayerOfHellWyrm]

I don't know what hackers do with thousands of peoples credit card data. Like when PSN was hacked, what did they do with the data? Buy Lambos? Card holders would just cancel the transaction. What use is this massive data?

Each card could be skimmed for poultry sums of say, $0.10 that most people would never know about. Now, multiply that by the 70,000,000 people in the PSN breach, and suddenly, you have $7,000,000, and most people won't cancel such a small transaction. As well, your CC info has a lot of information on you that you never know, and that info can be quite valuable to people who may want or need a identity that is not their own for whatever reason, and people will pay for that.

[StingBull]

Each card could be skimmed for poultry sums of say, $0.10 that most people would never know about. Now, multiply that by the 70,000,000 people in the PSN breach, and suddenly, you have $7,000,000, and most people won't cancel such a small transaction. As well, your CC info has a lot of information on you that you never know, and that info can be quite valuable to people who may want or need a identity that is not their own for whatever reason, and people will pay for that.

 

That's a good idea. Credit cards already have so many small transactions each month from the bank alone, so people would just think it is their bank. But wouldn't it be easy to find the man that owns an account that takes 70 million transactions. It is a suspect thing, even if nobody reports it.

[SlayerOfHellWyrm]

That's a good idea. Credit cards already have so many small transactions each month from the bank alone, so people would just think it is their bank. But wouldn't it be easy to find the man that owns an account that takes 70 million transactions. It is a suspect thing, even if nobody reports it.

Spread it over time my friend, and across multiple accounts. In reality however, this is not one person, it's going to be a group to have the kinds of resources required. Wealth from either transactions or selling data off is gonna be huge, and spread amongst everyone involved lowering the risk of getting caught.

[Altecice]

This is what happens when heads of networks dont know what they are doing or are too lazy to check and close ports for RDC etc.

[The Benjamins]

And this is why the credit card system is so flawed. That is one good thing about the BTC system, were merchants do not need to hold consumers vulnerable information. 

[Bloodyvalley]

What's up with all the issues that have been going on lately? ....

 

:banghead:

[SlayerOfHellWyrm]

All systems have their flaws. In the case of BTC, is the extremely high cost of accruing the currency. In essence, you are exchanging a lot of currency, for another currency, and it's one that isn't even close to being globally adopted and accepted. Guaranteed as things shift and BTC becomes more prevalent, it'll be targeted more and more, and exploits will be found, and along with that will be stories along this line only with BTC.

[The Benjamins]

All systems have their flaws. In the case of BTC, is the extremely high cost of accruing the currency. In essence, you are exchanging a lot of currency, for another currency, and it's one that isn't even close to being globally adopted and accepted. Guaranteed as things shift and BTC becomes more prevalent, it'll be targeted more and more, and exploits will be found, and along with that will be stories along this line only with BTC.

I mainly wanted to reference how with BTC the merchants don't hold your info. like how in the BTC system money is "pushed" to some one, when credit cards money is "pulled" from some one. 

[SlayerOfHellWyrm]

I mainly wanted to reference how with BTC the merchants don't hold your info. like how in the BTC system money is "pushed" to some one, when credit cards money is "pulled" from some one. 

All that limits is re-selling of your data. If it's the money you're after, it's not going to help with anything. Regardless, both systems have flaws, both will always have flaws, and stuff like this will always happen. This particular instance just happens to be incredibly large because the target was originally the PoS vendors, which allowed stupidly easy spreading of it, and hence, we have a possible 1,000 infected retailers that could all be facing a data breach

[SlayerOfHellWyrm]

What's up with all the issues that have been going on lately? ....

 

:banghead:

I somehow missed your earlier question. Anyway, the issues is stemming from a couple of issues:

1. 7 PoS vendors discovered they had been compromised by the various malware out there
2. Backoff, the one in the new was first detected back in October of 2013, but Anti-virus software didn't get around to adding it to their databases until sometime in August
3. Specifically, the targets have not just been the PoS vendors, but retailer networks via Remote Desktop type services and protocols, be them offered by Apple, Windows, or anyone else, and they were gaining access by brute forcing their way in
4. Although Backoff was discovered in 2013, it wasn't considered a real threat until UPS and SuperValu came forward earlier this week after US-CERT issued their advisory in June, that they had been compromised by this specific malware
5. The time inbwteen the initial discovery, and US-CERT advisory was 9 months, where it wasn't really on the radar of admins, or anti-virus companies

[SlayerOfHellWyrm]

Update: Shocker, but Java may be an indicator of an infection. Since POS systems don't need Java, they've found infected systems can suddenly have a Oracle Java folder containing a javaw.exe, which is actually the Backoff malware.

Data is also sent back to the malicious servers every 60 seconds.

[TheInverseKey]

Update: Shocker, but Java may be an indicator of an infection. Since POS systems don't need Java, they've found infected systems can suddenly have a Oracle Java folder containing a javaw.exe, which is actually the Backoff malware.

Data is also sent back to the malicious servers every 60 seconds.

 

 

Going into the security field means in the future means that I will have a job for a long time hopefully. 

[Bouvie_11]

Why don't epos machines and atms run a different operating system than windows XP. Cant Some Company or Developer make a secure operating system just for that Type of Application