Breach, Data Security, Malware

After Neiman Marcus, Target breaches, experts speak to bull’s-eye on retailers’ backs

After Neiman Marcus confirmed that it was the latest major retailer to be struck by a credit card breach, reports began to surface about a potential link between the massive compromise of Target's POS systems and other smaller merchants.

On Sunday, Reuters reported that “similar techniques as the one on Target,” were used to attack at least three other “well-known U.S. retailers,” which have yet to come forward.

Unnamed sources told the outlet that a RAM scraper, or memory-parsing software, “which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text,” was used against Target, and smaller breaches hitting other retailers.

On Friday, security blogger Brian Krebs first revealed that Neiman Marcus suffered a credit card breach of customer data.

While the timeframe coincides with Target's holiday breach (where it was confirmed that malware targeted its point-of-sale systems), neither Neiman Marcus nor Target have verified whether the attacks are linked.

Neiman Marcus has also yet to reveal the magnitude of its breach, as in how many customers are impacted, as well as how the incident was leveraged.

On Monday, Ron Gula, CEO and CTO of Tenable Network Security, which specializes in malware and vulnerability discovery, told that the retail industry is ripe for attack, particularly because of a compliance-focused mentality taken on by merchants aiming to meet payment card industry (PCI) guidelines.  

“For one, the industry tends to shoot for compliance,” Gula said. “It's generally a goal and something you may not strive to go beyond.”

Furthermore, the holiday season tends to be a time when retailers aren't apt to implement needed software or network changes to harden themselves against attack.

“The second thing is, we just came off of the mythical holiday freeze where [retailers] are locked down, and can't make changes – like patch auditing, resetting passwords, applying software changes or updating the signatures of their anti-virus product – and I believe that creates the perfect target,” Gula said.

“I don't think it's a coincidence that we are finding out about this right after the holiday season,” he later added.

On Monday, Curt Wilson, senior research analyst with Arbor Networks' security engineering and response team (ASERT), who discussed in December how point-of-sale (POS) malware Dexter was being used in a campaign against U.S. targets, told that the operation didn't appear to be linked to Target and Neiman Marcus' incidents.

Wilson did add, however, that criminals targeting retailers are often being emboldened by the success of previous attacks.

He said that there are numerous ways attackers may have scaled their attacks to steal card data. “We've also seen incidents where vendors themselves are compromised – so any weak link, or anywhere that the card data is not encrypted, either over the wire or in memory, creates a point of vulnerability,” Wilson said.

On Monday, a spokeswoman for Neiman Marcus told in a statement that the retailer was informed by its merchant processor in mid-December of “potentially unauthorized payment card activity” occurring at its stores.

It wasn't until Jan. 1 that a forensics firm subsequently confirmed that Neiman Marcus suffered a cyber intrusion “and that some customers' cards were possibly compromised as a result,” the statement said.

Dave Loftus, a research analyst at ASERT, told on Monday that researchers have tracked a trend in POS attacks, which have “shift[ed] from physical skimmers to malware.”

“We are seeing the malware evolve and it looks like many types of malware are beginning to take the form of botnets,” Loftus continued. “We expect to see this going into the future.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.