Home page logo

dataloss logo Data Loss mailing list archives

Data Breaches: What Retailers Need to Know About Malware
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 10 Jul 2014 19:56:05 -0600


And the hits just keep on coming. Retailers across the country are falling
prey to cyber attacks, with one of the latest announcements coming from
Michaels and its subsidiary Aaron Brothers.

Based on the information filtering out from Michaels, it appears the firm
was a victim of an advanced persistent threat (APT) attack. APTs are based
on malware that is specially coded by hackers to breach a specific target.
The clincher is that APTs are also designed to be largely undetectable by
most anti-malware applications. Even if the threat is recognized, it may be
difficult to locate or remove.

In the case of the attack on Michaels, the malware is estimated to have
been active in the system for about eight months. Consumers that shopped at
Michaels between May 8, 2013, and Jan. 27, 2014, or at Aaron Brothers
between June 26, 2013, and Feb. 27, 2014, are being advised to cancel their
debit or credit cards and have their banks reissue new ones as a
precautionary measure. In addition, victims have been encouraged to take
steps to monitor their identity and credit accounts for potential fraud.

There are multiple methods hackers can use to transfer this type of
malicious code to its target, including spear phishing e-mails that appear
legitimate and trick an employee at the retailer into downloading the code
into the network. Specifically how the attackers were able to successfully
inject their malicious code into Michaels’s systems is unknown at this

Flashbacks to other hacks
For many in the retail sector, it’s nearly impossible to learn the details
of the Michaels attack without having flashbacks of other recent incidents.
Consider the massive Target breach in late 2013. Malware was the culprit in
that incident as well, with the retailer’s point-of-sale (POS) data being
funneled out through a compromised vendor connection.

The Target attack lasted 19 days — which seems to pale in comparison to the
duration of the Michaels breach — but it occurred during the holiday season
when registers were ringing up purchases at a frantic pace. The scope was
tremendous, with Target estimating up to 70 million individuals may have
been affected.

Neiman Marcus also suffered a data breach in 2013. For just over three
months hackers siphoned off POS data using malicious code inserted into the
retailer’s systems. The sophisticated attack is still being investigated,
but so far little has been revealed about how the hackers gained entry to
the system and precisely when much of the data was removed.

Why the hack could happen again
The first lesson retailers should take from the growing list of POS-based
data breaches is that it could happen again. Whatever the root cause of
these hacks, many retailers are scrambling to bolster their network
security defenses by implementing additional layers of advanced threat
detection systems. These can potentially detect previously unknown malware
such as that used to steal data from Michaels and others.

Unfortunately, even when malicious code is detected retailers aren’t always
able to eradicate it quickly or completely. Tens of thousands of alerts
were triggered during the Neiman Marcus breach, but the level of automation
and the sheer volume of administrative alerts processing through the
systems made actionable detection difficult.

Cyber thieves are also getting better at crafting sneaky code and finding
security weaknesses to exploit. In the case of Neiman Marcus, systems were
deleting instances of the malware but the hackers found a way to quickly
reload it. A compromised server was their pathway into the network. It
provided them with a remote door to the inside of the systems that held
valuable data as well as a route around many of the security measures that

What retailers can do to mitigate risks and bolster security
Hackers are working to root out and take advantage of every security gap in
retailers’ POS systems and networks. They’re actively targeting weak
administrative passwords, vulnerable infrastructure components, unsecured
(but trusted) external connections, and old-fashioned social engineering.
Increasingly clever methods are being employed to install malware, but in
many cases they’re unnecessary. Weak spots in the armor often provide all
the invitation hackers need.

There are steps retailers can take right now to improve security around POS
systems and associated networks, and most are inexpensive and relatively
easy to implement.

• Require strong passwords or multi-factor authentication for POS
administrative access and accounts.
• Restrict outside access to POS systems wherever possible.
• Completely disallow remote access unless it’s absolutely necessary.
• Update all POS software application using the latest security patches.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • Data Breaches: What Retailers Need to Know About Malware Audrey McNeil (Jul 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]