09/09/2014: Banks are no longer easy targets for hackers. Retailers are. Russ Spitler, VP of Product Strategy at AlienVault looks at the seven stages of hacking into a retailer’s POS system…
Data breaches on retailers are becoming a daily occurrence, for the simple reason that hackers go where the money is – and that means credit cards. Undeniably, hackers will never have stepped foot in the actual stores to get the card information they are after, at least not for the purposes of furthering their exploits. While a little reconnaissance might be performed in the physical stores, the scale at which both the Target or Home Depot breach occurred meant that their access to the point of sale (POS) machines originated from within the corporate network.
This has been confirmed in the public information available about the Target breach and will likely be seen as more information becomes available about the Home Depot situation.
Now, without firsthand knowledge, I would imagine that the attackers would have taken the following steps:
1. Launch a broad based attack against a known vulnerability using a watering hole. Most likely this was done by a different group of hackers who specialise in compromising machines and distributing malware. The most common technique is to compromise popular websites and install what is called an ‘exploit kit’ which targets known vulnerabilities in the browsers & systems of the users browsing the compromised website.
2. Perform first level analysis of the systems that are compromised. What types of machines are they? What software is installed? What are their IP addresses? What email addresses are being used? This analysis is done to see what has been brought in by the ‘net’ of the broad based attack.
3. Determine if there are any viable targets in the ‘catch’ – are there any dolphins hiding in with the tuna? (Is that analogy too 1980s?) Are there any major or minor retailers in the catch?
4. Identify a target. Pick the largest ‘fish’ and start working towards your objectives – in the case of retailers, that would be the POS terminals.
5. Pivot. From your initial point of compromise (the unsuspecting user who fell victim to the broad based attack) attempt to pivot within the corporate network. Perform reconnaissance on the network and identify what access the machine has and the systems it can access.
6. Systematically move on your objectives. Attempt to identify the ways to access the POS terminals, in the Target scenario it was a relatively open network, so this was a very simple task. From that point target a known vulnerability in the system and install the memory scraping malware that harvests the credit card information.
7. Ex-filtrate the stolen data. The critical last step would require the hackers to move the harvested credit card info back from the POS terminals to a location of their choosing. Again, in the Target scenario this was an FTP server in Eastern Europe.
Clearly, attackers are fully prepared to do their homework and identify the weak links when it comes to retailers and their POS machines. Major retail chains are easy targets because they have not invested enough time in cybersecurity.
Banks are no longer easy targets, they have fortified themselves and even built protection for their consumers, but point of sale systems originally designed and built years ago are easy places to grab a foothold. Hackers are focusing on retailers because ‘that is where the money is’ – it is the easiest target with the greatest reward.
These criminals are doing the cost analysis of the investment they need to breach a target and what they are going to get in return. It’s time retailers do the same and properly assess the need for bolstering security when it comes to protecting their customers’ personal data.