Jump to content

Six more U.S. retailers hit by Target-like hacks

Guest

By Guest
in Security & Networking

 Share

Recommended Posts

Guest LilBambi

Guest LilBambi

Posted
Posted
Cybercriminals have stolen payment card data from six more U.S. retailers using similar point-of-sale malware that compromised Target, a computer crime intelligence company said Friday.

 

The conclusion comes from a study of members-only forums where cybercriminals buy and sell data and malicious software tools, said Dan Clements, president of IntelCrawler, which conducted the analysis.

 

The retailers have not been publicly named, but IntelCrawler is providing technical information related to the breaches to law enforcement, Clements said in a telephone interview Friday.

Link to comment
Share on other sites
Corrine

Corrine

Posted
Posted

Regarding Target, I got this from a private source commenting on Brian Krebs article (A First Look at the Target Intrusion, Malware — Krebs on Security):

 

PCI compliance objectives include the fact that cardholder data present environments (CDP) like those POS terminals should NOT have been on the same network as the webserver where the malware was originally dropped for command and control. Those POS terminals SHOULD have been physically separated by VLAN switching and prevented from talking to a webserver that is Internet facing.

 

 

A 17 year-old! IntelCrawler - Multi-tier Intelligence Aggregator - IntelCrawler: �17-years-old teenager is the author of BlackPOS malware (Target)�

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Yes... there has been a saying for a very long time now. First said by someone at SANS.org on their list.

 

"What part of critical systems should not be on the Internet do you not get?" Actually I think that might be a paraphrase ...

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Good point, but does it really matter? Target is offering a year of identity theft protection as a result of the breach, so that's a plus.

 

Adam

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Offering the credit monitoring was the right thing to do though, and Target gets to pay for it. They will treat their point of sale systems a bit more securely now, won't they?

 

Adam

Link to comment
Share on other sites
siljaline

siljaline

Posted
Posted
A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.

Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005. [...]

 

Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

I remember that attack siljaline!

 

The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it that nearly a decade after the Gonzalez gang pulled off its heists, little has changed in the protection of bank card data?

 

Target got off easy in the first breach: A spokeswoman told Reuters an “extremely limited” number of payment card numbers were stolen from the company by Gonzalez and his gang. The other companies weren’t as lucky: TJX, Hannaford Brothers grocery chain, the Dave & Busters restaurant chain, Office Max, 7-Eleven, BJ’s Wholesale Club, Barnes & Noble, JC Penney, and, most severely, Heartland Payment Systems, were hit hard.

 

This time around, if past is prelude, Target will be forced to pay out millions in fines to the card companies if it’s found that the retailer failed to properly secure its network. It also will have to pay reparation to any banks that had to issue new cards to customers. In addition, class-action lawsuits are already being filed against Target by customers, and lawmakers are lining up to make an example of the retailer.

 

Target should not have gotten off easy back in 2005! All companies should be held to a higher standard with our money and/or credit!

 

We would not be going through this now if ALL RETAILERS were held to the same standard they used for the others (noted in bold above).

 

Personally I think even those were not held to standards that should have been used when they are responsible for other people's money!

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

They let this continue to happen simply because pro-active security costs money. That's profit right off the bottom line. These greedy corporations are willing to gamble that they won't get hit in order to bleed as much $$$ as they can from their customers. Once they do get breached, they're all apologetic and regretful, but you can bet your arse that someone somewhere in that organization made the conscious decision to disregard security in favor of higher profits. It should be made a criminal offense when companies are found to be negligent in their security measures that result in breaches such as this one at Target occur.

Link to comment
Share on other sites
crp

crp

Posted
Posted

They let this continue to happen simply because pro-active security costs money. That's profit right off the bottom line. These greedy corporations are willing to gamble that they won't get hit in order to bleed as much $$$ as they can from their customers. Once they do get breached, they're all apologetic and regretful, but you can bet your arse that someone somewhere in that organization made the conscious decision to disregard security in favor of higher profits. It should be made a criminal offense when companies are found to be negligent in their security measures that result in breaches such as this one at Target occur.

How would pro-active security have helped in this case? how is target bleeding money from their customers by using a computerized POS system? That they didn't compile the POS for each machine was due to the POS software being certified. For all we know, the NSA could have intercepted the machines and placed the trojan software on it. I'm actually impressed that someone there caught on so quickly that something was amiss.

If I was in charge, would I have compiled from code to each machine? yepp, but i'm just about paranoid about this sort of thing having had a server egg-dropped a few years back. The machines were certified, I really can not fault Target for trusting the certificate.

 

Does anyone here have an idea or datum on what happened to Neiman-Marcus or the other 5?

 

I remember that attack siljaline!

 

 

 

Target should not have gotten off easy back in 2005! All companies should be held to a higher standard with our money and/or credit!

 

We would not be going through this now if ALL RETAILERS were held to the same standard they used for the others (noted in bold above).

 

Personally I think even those were not held to standards that should have been used when they are responsible for other people's money!

btw: they were PCI compliant :whistling:
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

In this day and age, these companies are just going to have to bite the bullet and do what needs to be done. Or they can shut their websites down and go back to this technology...

 

old-school-credit-card-machine.jpg

 

Or maybe even this...

 

cash-money.jpg

 

Although, this latter option is a bit iffy these days. ;)

Link to comment
Share on other sites
Corrine

Corrine

Posted
Posted

Speculation is that data sets are being sold by region.

 

2 nabbed at Texas border in Target credit card fraud case

 

McAllen police began working with the U.S. Secret Service after a number of area retailers were hit with fraudulent purchases on Jan. 12. The Secret Service confirmed that the fraudulent accounts traced back to the original Target data breach from late last year. Investigators fanned out to McAllen-area merchants and reviewed "miles of video" looking for the fraudsters, Rodriguez said. From that, they were able to identify two people and a car with Mexican license plates.

 

With the help of U.S. Immigration and Customs Enforcement, investigators confirmed the identities of their suspects from immigration records of when they had entered Texas in the same vehicle. Police prepared arrest warrants last week and waited for them to return.

 

On Sunday morning, federal officials alerted police that their two suspects were at the Anzalduas International Bridge trying to re-enter the U.S. They were carrying 96 fraudulent cards, Rodriguez said.

 

Investigators believe the two were involved in both the acquisition of the fraudulent account data and the production of the cards, but only part of what must have been a much broader conspiracy. Rodriguez said investigators suspect Garcia and Guardiola were singling out Sundays for their shopping sprees hoping that the banks would not be as quick to detect the fraud.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Your first option there is certainly far less secure than a computerized POS system.

 

Adam

 

Yeah, but having all those cool tissue receipts was pretty neato. I still remember the little half-size ones for the gas credit cards. My dad used to give me stacks of the old ones to play with when I was a kid. I think that's when I developed my love of credit cards. ;)

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

PCI Compliant is no panacea. They are not holding any of them to standards that should be used when they need to be trusted with other people's money!

 

Glad to see some are getting caught but it shouldn't have happened in the first place.

 

And so many are using Windows XP POS Dell computers! What about those come April 8, 2014?

 

This crap unfortunately happens around the world. It's a travesty that people must trust their money to companies that are obviously not worthy of their trust.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Hey good news for the Windows XP Professional Embedded POS systems:

 

Windows XP Embedded (Toolkit and Runtime), all versions

General Availability: January 30, 2002

Product EOL: January 30, 2017

 

Windows XP Professional for Embedded Systems

General Availability: December 31, 2001

Product EOL: December 31, 2016

 

NOTE: EOL: End of Life - apparently for these types of programs, they call it "Product Distribution End Date"

 

Many are still using the Windows XP ones. I have seem so many in use currently in retail outlets. But they also have newer Embedded based on Windows 7 and Windows 8 as well.

 

See full article here. (Have to go down about halfway down the page...way past the first screen/above the fold view on the page)

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

A few security lessons from the Target breach (on Fran's Computer Services Blog)

 

I picked up on Susan Bradley's excellent article in the recent edition of WindowsSecrets article first, then Wired Threat Level's recent and very excellent article on the Target got hacked in 2005 and don't think oh, I know about this already, it is about much more and finally the new Michael's breach that Brian Kreb talked about on his blog, and more, plus some of my own thoughts of course. ;)

Edited by LilBambi
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...