By Jennifer Bjorhus
Minneapolis Star Tribune
The U.S. Secret Service has called the criminals behind Target Corp.’s monster security breach well-organized, “highly technical” and “sophisticated.”
But cybersecurity firm McAfee Inc. said in a report this week that the heist was anything but exotic, describing the attack as a “Breach 101” operation.
The thieves used easily modified off-the-shelf malware, common methods to hide the malware inside Target’s point-of-sale system and didn’t encrypt either the instructions on where to send the stolen card data or the card information itself as it was being transmitted out of Target to a remote server, a data stream that should have been detected and caught, McAfee said in its fourth-quarter threats report.
“It’s all just there in black and white,” said Jim Walter, manager of McAfee’s Threat Intelligence Service. “As an attack, it is extremely unimpressive and unremarkable.”
Walter, the chief author of the Target section of the McAfee report, emphasized that he is “not passing any sort of judgment” on Target and could not discuss compliance issues.
The Target section of the report points directly at the nation’s No. 2 discount retailer for a major security miss. The characterization contrasts with other depictions of the attack as highly sophisticated, and renews questions about why Target’s IT security team did not catch it and had to be informed by federal agencies there was a breach.
Target declined to comment specifically on McAfee’s report.
“While the investigation into this highly sophisticated crime is continuing, we remain committed to understanding the facts and making improvements,” Target spokeswoman Molly Snyder said.
Target’s chief information officer, Beth Jacob, resigned last week amid an overhaul of the company’s information security operations.
Thieves had up to 110 million records from Target late last year after gaining access to its computer systems through the network credentials stolen from a heating and refrigeration vendor. The attack remains the subject of multiple investigations.
If investigators conclude Target wasn’t complying with industry standards for payment card security, the company will be subject to fines. The company could also be vulnerable to legal claims that it was negligent.
McAfee is a Santa Clara, Calif.-based cybersecurity firm that’s now part of Intel Corp.
It is not part of the official Target investigations. According to the report, it gained an understanding of the exact malware used at Target “in cooperation with various agencies.”
In early February, Target CFO John Mulligan testified in a Senate committee hearing that the company has invested “hundreds of millions of dollars” in a range of technology security such as segmentation, malware detection, intruder detection and multiple layers of firewalls.
“We have ongoing assessments and third parties coming in doing penetration testing of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards,” Mulligan told the committee.
McAfee’s report paints a picture of a run-of-the-mill attack.
The BlackPOS-based malware may have been customized for Target’s systems, but it was “far from ‘advanced,’ ” it said.
“The BlackPOS malware family is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”
The methods used to hide the malware on Target’s system were nothing new either, it said, calling it “standard practice” for criminals to evade the anti-malware and controls companies use for protection.
Thieves can easily get software online to test a company’s defenses and evade them, it said.