After Neiman Marcus, Target breaches, experts speak to bull's-eye on retailers' backs

Share this article:

After Neiman Marcus confirmed that it was the latest major retailer to be struck by a credit card breach, reports began to surface about a potential link between the massive compromise of Target's POS systems and other smaller merchants.

On Sunday, Reuters reported that “similar techniques as the one on Target,” were used to attack at least three other “well-known U.S. retailers,” which have yet to come forward.

Unnamed sources told the outlet that a RAM scraper, or memory-parsing software, “which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text,” was used against Target, and smaller breaches hitting other retailers.

On Friday, security blogger Brian Krebs first revealed that Neiman Marcus suffered a credit card breach of customer data.

While the timeframe coincides with Target's holiday breach (where it was confirmed that malware targeted its point-of-sale systems), neither Neiman Marcus nor Target have verified whether the attacks are linked.

Neiman Marcus has also yet to reveal the magnitude of its breach, as in how many customers are impacted, as well as how the incident was leveraged.

On Monday, Ron Gula, CEO and CTO of Tenable Network Security, which specializes in malware and vulnerability discovery, told SCMagazine.com that the retail industry is ripe for attack, particularly because of a compliance-focused mentality taken on by merchants aiming to meet payment card industry (PCI) guidelines.  

“For one, the industry tends to shoot for compliance,” Gula said. “It's generally a goal and something you may not strive to go beyond.”

Furthermore, the holiday season tends to be a time when retailers aren't apt to implement needed software or network changes to harden themselves against attack.

“The second thing is, we just came off of the mythical holiday freeze where [retailers] are locked down, and can't make changes – like patch auditing, resetting passwords, applying software changes or updating the signatures of their anti-virus product – and I believe that creates the perfect target,” Gula said.

“I don't think it's a coincidence that we are finding out about this right after the holiday season,” he later added.

On Monday, Curt Wilson, senior research analyst with Arbor Networks' security engineering and response team (ASERT), who discussed in December how point-of-sale (POS) malware Dexter was being used in a campaign against U.S. targets, told SCMagazine.com that the operation didn't appear to be linked to Target and Neiman Marcus' incidents.

Wilson did add, however, that criminals targeting retailers are often being emboldened by the success of previous attacks.

He said that there are numerous ways attackers may have scaled their attacks to steal card data. “We've also seen incidents where vendors themselves are compromised – so any weak link, or anywhere that the card data is not encrypted, either over the wire or in memory, creates a point of vulnerability,” Wilson said.

On Monday, a spokeswoman for Neiman Marcus told SCMagazine.com in a statement that the retailer was informed by its merchant processor in mid-December of “potentially unauthorized payment card activity” occurring at its stores.

It wasn't until Jan. 1 that a forensics firm subsequently confirmed that Neiman Marcus suffered a cyber intrusion “and that some customers' cards were possibly compromised as a result,” the statement said.

Dave Loftus, a research analyst at ASERT, told SCMagazine.com on Monday that researchers have tracked a trend in POS attacks, which have “shift[ed] from physical skimmers to malware.”

“We are seeing the malware evolve and it looks like many types of malware are beginning to take the form of botnets,” Loftus continued. “We expect to see this going into the future.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.