An investigation by security journalist Brian Krebs indicates that the malware used to breach point of sale (POS) systems in the epic Target breach that compromised some 110 million customers has been available for sale on the black market.
The memory-scraping malicious agent known as “Reedum” has been available on underground criminal forums under the name of “BlackPOS” since at least the middle of last year for a fee of $1,800 for the basic version and $2,300 for the full version.
“On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec,” Krebs writes.
“Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013.”
The malware can allegedly circumvent network firewalls, and once present on POS systems, can harvest credit card information in real time as cards are used for purchases.
Thus far, Target has disclosed that the information stolen from includes names, mailing addresses, phone numbers or email addresses, but some suspect that the breach may be far worse, and may include a wealth of predictive analytics that is used to profile customers.
“The attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices,” Krebs wrote.
Tripwire security researcher Ken Westin believes that Target’s own Microsoft System Center servers, which deploy automated application updates and security patches for several systems including POS, provided the distribution point for the malware.
“I believe that somehow the central hub at Target was compromised and that point-of-sale malware was deployed to all of the stores’ update/patching servers. From here all of the point-of-sale devices would update to the same compromised code that was deployed,” Westin wrote.
“At that stage the data could be exfiltrated out to another server directly from the device, or an internally compromised server at the main hub and exfiltrated out of the network,” Westin explained.