Security researcher finds clues to malware in Target heist

Brian Krebs reports that the malware used to steal millions of customers' payment card information was uploaded through a compromised server.

Steven Musil
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
2 min read

While Target has said hackers used malware installed on point-of-sale terminals to pilfer the payment card information from millions of customers, the retailer has been silent about how the malware siphoned off the sensitive data.

CEO Gregg Steinhafel confirmed this week that malware installed on checkout keypads was used to steal the names, mailing addresses, phone numbers, and e-mail addresses of as many as 110 million customers. Sources have told Reuters that one of the tools used by the thieves was a memory scraper, which harvests encrypted data as it moves through the computer's memory in plain text.

A Target representative declined to provide additional information on the malware used in the attack, citing the ongoing investigation into the theft.

However, security researcher Brian Krebs reported Wednesday that the malware has been linked to intrusions as far back as last June. Krebs, who broke the story about the Target security breach in December, said sources had told him that the thieves broke in through a compromised Web server.

"Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target's internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices," Krebs wrote.

Krebs said the malware is "nearly identical" to BlackPOS, a cybercrime product that records payment card data from comprised keypads. Selling for as much as $2,300 on cybercrime forums, the malware is designed to avoid detection by firewall software.

Target, which suffered its breach between November 27 and December 15, was not the only US retailer to experience a security breach during the holiday shopping season. Upscale department store Neiman Marcus confirmed on Friday that its database of customer information was hacked last month around the same time as the attack on Target. Additionally, Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be publicly revealed.