The Target Data Breach is one of the most notorious cybersecurity incidents in recent cybersecurity history affecting over millions of customers and being a stepping stone to more robust security measures. And today we’re going to dive into that.
Incident Overview:
In September 2013, cybercriminals used an email based phishing scam to trick an employee at Fazio Mechanical, a HVAC contractor, who happened to be one of Target’s third-party vendors, into giving the hackers their credentials. Fast forward a couple months later, hackers were able to gain unauthorized access to Target’s network through the HVAC contractor.
The attackers then used this access to infiltrate Target’s payment system, installing malware on point-of-sale (POS) terminals across the company’s stores. The breach went undetected for weeks, allowing the hackers to steal credit and debit card information of 40 million customers who shopped at Target between November 27th to December 18th, 2013. In addition to the 40 million customers, the personal information (names, addresses, phone numbers, and email addresses) of 70 million customers were also compromised.
In depth analysis:
Once the attackers were inside Target’s network, they moved laterally through the network searching for vulnerabilities until they found a vulnerability in the point-of-sale (POS) systems. The malware they had ended up using was an direct attack on computer memory, known as RAM scrapers, to grab sensitive data while unencrypted.
Memory-parsing is the process of scanning a computer’s memory (RAM) to extract and analyze data, often used by malware to capture sensitive information before it is encrypted or stored.
To give a little more background, at the time, Payment Card Industry-Data Security Standard rules, also known as (PCI-DSS) all payment information must be encrypted when it is stored on the POS system as well when it is being transferred to back-end systems. Hackers can still steal the data from the hard drives, but it is merely useless as the files are encrypted. This also defeats the possibility of attackers sniffing the traffic on the network to steal anything.
That being said, there is only a small window of opportunity for attackers. The POS system software has to temporarily decrypt the data in order to see the transaction information, and the malware seizes the opportunity to ‘copy’ the information from memory.
This type of memory attack lead to the collection and storing of payment card information such as card numbers, expiration dates, and CVV codes, which were periodically transferred to a compromised server within Target’s Network.
From that server, the stolen data was exfiltrated to external servers controlled by the attackers, which they used multiple locations to avoid detection.
Target did in fact have security software in place, even a malware detection tool from Fire Eye purchased earlier in 2013, that had caught early on to the malware, but it was merely ignored by Target’s Security Center. The security team ignored the alert, which lead to the malware undetected for a good time. The attack was then thwarted after the Department of Justice contacted Target to inform them.
Impact:
The breach was just the start of a nightmare for Target, as they were subjected to hundreds of millions of dollars in costs related to investigations, legal settlements, and upgrading their security for their network. Not only did it affect Target financially, but it severely damaged their reputation, leading to distrust between customers and a major drop in sales for the holiday season. The result of all of this lead to the resignation of Target’s CEO and CIO, indicating the seriousness of the breach.