Target-like attack unlikely against small retailers

Sophisticated methods that can dodge detection typically reserved for specific companies in targeted attacks, say experts

Traditional security defenses that would have failed against sophisticated attacks like the one against Target are still necessary in protecting small businesses, experts say.

[Rising impact of Target breach indicates deeper hack into systems]

The malware used in the Target attack was built to avoid detection by anti-virus software and in fact eluded discovery by the more than 40 AV tools found on the site virustotal.com, the security blog KrebsonSecurity reported.

Such levels of sophistication used in attacks targeted at specific companies are unlikely to be used against small retailers, which need to build defenses against run-of-the-mill attacks against PCs.

Those attacks start with emails carrying malware or links to malicious websites. Once a system is compromised, the malware will typically look to steal credentials for online banking sites.

"The Targets of the world are going to be hit with customized malware that security software by and large won't detect using traditional methods," Christopher Budd, global threat communications manager for Trend Micro, said. "A small, medium-sized business will likely be targeted with something off-the-shelf that, in most cases, is well-known."

In general, small retailers do not use POS devices, but instead use scanners connected directly to a card processor's network. As a result, smaller retailers are more likely to be victims of credit-card "skimming attacks" in which special hardware is used to grab data before it gets sent to the network, Jason Fredrickson, senior director of application development at Guidance Software, said.

"I'd probably be more concerned about restaurants than small retailers, because more restaurants have POS systems," Fredrickson said.

In the case of restaurants, the attacker is more likely to be an insider stealing credit-card information.

For small retailers and businesses, multiple layers of traditional security software are recommended, starting with applications that examine the content of email for spam and phishing attacks.

Other defenses would include anti-virus software and applications that prevent or warn computer users when they are clicking on a link that heads to a known malicious website.

The malware used against Target stole the financial and personal information of 110 million customers. The malicious code grabbed the data from the memory of Target's point-of-sale devices as soon as customers swiped their debit or credit card. The theft occurred during the holiday shopping season, the busiest time for retailers.

The malware used in the attack is called BlackPOS, which is crude, but effective, crimeware, according to KrebsonSecurity. Criminals apparently compromised a Target Web server first and then managed to get the malware onto POS devices.

[CSO's guide to the Target data breach]

The malicious code created a server on Target's network for storing data before transmitting it to a virtual private server in Russia, according to security vendor Seculert. A total of 11 GB of information was transferred during a two-week period starting Dec. 2.

Tags: Target, security, data breach, data protection

Turkey’s ISPs hijack Google’s DNS service, killing bypass for Twitter, YouTube ban

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.