Huge Criminal Profits Are Being Made from Retail POS Says FBI

Nicole Giannopoulos

2/3/2014

As previously reported, Target’s attackers were able to infect the retailer’s POS system with malware that stole credit and debit card data. The attackers were also able to setup a control server within Target’s internal network that served as a central repository for data from all of the infected registers. An examination of the malware suggests that the attackers may have gained access to a poorly secured feature built into an IT management software product running on the retailer’s internal network.

However, as investigators uncover more information, concerns continue to grow. It was revealed that the attackers gained access to Target’s internal systems, but what we still don’t know is how the attackers broke in to begin with, according to reports. Did Target fall victim to identity theft where login credentials were stolen or was the software broken into?

"The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors," the FBI wrote. "We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it."

What You Should Know

"ttcopscli3acs" is the name of the Windows share used by the POS malware planted at Target stores, the username that malware used to upload stolen card data was "Best1_user" with the password "BackupU$r."
An analysis uploaded to Symantec’s ThreatExpert service on December 18, 2013 was later deleted. The ThreatExpert analysis notes that the malware was responsible for moving stolen data from the compromised registers to the shared central repository.
"Best1_user" is an administrative account installed by the software to do routine tasks such as run a batch job. Customers do not concern themselves with this account because it is a level account on the host machine that cannot be used to login to the system.
One component of the malware installed itself as "BladeLogic," a service name mimicking that of BMC BladeLogic Automation Suite. The trademark was used to make the malicious program appear legitimate to the casual observer.
A cybercrook known as "Rescator" and his network are selling cards stolen in the Target breach to push new batches of stolen cards onto the market. As of January 21, a batch of two million cards were released under the name "Eagle Claw." It has been determined that all of these cards were used at Target stores between November 27 and December 15.
The FBI warned that the basic code used in the POS malware has been seen in cased dating back as far as 2011, and that these attacks are likely to continue for some time.

Related Topics