PoS Malware Targeted Target

by on | Leave a comment
Filed under Breach Diaries, Industry News, Research Lab and tagged , , .


Dexter was a doozy, but recent Seculert research reveals that it wasn’t the source of the point-of-sale (PoS) attack on Target. According to a December 19 statement released by Target, over 40 million credit and debit card accounts may have been compromised over a 2 week period, beginning November 27. But Target had only just begun to see the extent of the damage. And based on information shared by Krebs in a January 14 report updating us on the massive data breach, we were able to identify a sample of the malware.

Seculert’s Research Lab ran the sample of the malware and discovered that unlike Dexter, this attack had 2 stages, which is a well known attribute of an advanced threat. First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.

Screenshot from 2014-01-16 19_06_50
Figure 1: Stolen data moving from the PoS server to another connected machine within Target’s network

Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.

Figure 2: FTP access logs indicating communication with an Target IP address


Figure 3: Whois information indicating ownership of the IP

We will continue to keep you apprised of details as the situation develops.

One thought on “PoS Malware Targeted Target

  1. Pingback: A Closer Look at the Target Malware, Part II — Krebs on Security

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>