Target Credit Card Data Was Sent To a Server In Russia

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

Re:in soviet russia

[bradgoodman]

I only checked the posts here to read the impending "In Soviet Russia..." jokes.

Re: POS

[jythie]

It is also possible that their underwriters could claim that Target did not take due diligence in protecting its network and thus a full payout is not warranted. Insurance companies do not like being treated like a blank check to not take precautions.

Re: POS

[mythosaz]

Doesn't appear that way to me..

The actual report on the software installed on the agent makes it pretty clear that the information was being gathered locally and forwarded internally to a collection point before being sent to Russia, like I suggested in previous threads:

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf [krebsonsecurity.com]

The point of sale machines try to make a connection to \\10.116.240.31\c$\WINDOWS\twain_32 -- an obvious store-and-forward point on the network for exporting the card data otuside of Target. Hackers compromised this box, likely named ttcopscli3acs, since the credentials passed to 10.116.240.31 were ttcopscli3acs\Best1_user with a password of BackupU$r.

It also made port 80 requests to 10.116.240.31 -- the server the hackers "owned" inside of Target.

The rest of the breakdown only details the registry changes that happen when you install a service -- which was the install vector. There isn't a discussion of how the skimming/scanning/card-stealing software was distributed, but...

IT WAS OBVIOUS THEY WERE ALREADY INSIDE THE NETWORK - they (p)owned servers - so it's a reasonable guess that they just deployed the software without needing any hole on the workstations.

The twain_32 folder is one of those things that casual inspection would overlook - and obviously did.

Re:It largely doesn't matter

[Solandri]

b) If a consumer gets hit by a fraudulent cc charge, they don't eat the charge. They call their cc issuer and the issuer eats the charge. That is in part what your double digit interest rate is paying for.

Fraudulent credit card charges are paid for by the merchant who sold the goods to the fraudster. When you contest a charge, the credit card issuer does a chargeback and reverses the charges on the merchant who made that transaction. The merchant then has to try to prove the charge is legit (e.g. produce a signed receipt whose signature matches the cardholder's), or he is out both the merchandise and the money. The issuer pays nothing for fraud, except for small transactions where they may decide to credit the cardholder without reversing the charges on the merchant (the charge is deemed too small and not worth the expense of investigating).

Your double-digit interest rate pays for other credit card holders who default on their bills. And to line the pockets of the credit card issuer.