grounded_for_lifeWhat’s worse than being recognized as the biggest data breach in history? How about finding out that the culprit responsible for a major hit on your brand and reputation that will eventually cost you billions of dollars was a teenager?

That’s exactly the news Target is dealing with, as security researchers suggest that at least one of the hackers behind the malware used to attack Target is barely 17 years old. Yet this teen was apparently able to develop a pretty sophisticated piece of malware, known as BlackPoS, that was used to infiltrate Target’s systems undetected. And in spite of his young age he’s reported to have already earned a reputation for developing lots of advanced malware. It’s not believed that the teenager is personally responsible for the attacks on Target, but instead sold his malware to dozens and possibly even hundreds of hackers and criminal groups. And one of those groups was behind the Target breach.

Those same experts are suggesting that at least six other retailers were victimized by the same malware, at about the same time as major retailers Neiman Marcus and craft giant Michaels both admitted they have fallen victim to similar type of attack. However, it’s suspected that dozens of retailers around the world could also be victims, given that the malware has already been sold to potentially hundreds of criminal organizations. And how much does this teenager make from all the mayhem he’s unleashed? The malware sells for as little as $2,000.

How much this breach will cost Target is yet to be determined. But reliable studies had found that the average cost of a data breach comes to around $188 for each record compromised. If that’s true, and 110 million records were compromised at Target, the breach could eventually cost the company billions of dollars.

POS Malware

POS (point-of-sale) malware has been around for a few years and grows more advanced daily. It’s one of the most obvious tools for a hacker. If the POS is not only where credit and debit cards are being collected, but where even temporarily all that credit and debit card information is unencrypted and in plain text, it’s the ideal place to attack. In the case of Target, it’s believed the malware was able to steal millions of credit and debit cards records during that fraction of a second between when the cards were swiped and before they were encrypted.

This attack demonstrates what most experts worry about – the well-designed malware, the stuff you really want to avoid, usually can’t be detected by antivirus software. In lots of environments, antivirus is the primary line of defense. If it fails, the intruder is in and you are left defenseless.

There are several stages to successfully executing an attack like this. The attacker has to first find a way to get their malware on to a target system undetected – customized and even basic malware can achieve this. Then they’ve got to find and steal the information they’re looking for, move that information to a staging area ready to be “off-boarded” from the target company, moved through other servers to hide the tracks, and then off they go into the night.

Because there’s so much data to siphon, and maybe to avoid triggering alarms, the data stolen from Target was moved in chunks over time. Which meant the hackers were inside the network, with unchallenged access, for weeks.

Often the most powerful tool in these attacks is patience. It appears that the malware used is off-the-shelf, affordable, and not very complicated. The hackers were able to compromise a Target server somewhere, which meant someone in security wasn’t doing their job.

What Can Your Business Learn?

  • The most important lesson every business can learn is that the latest generation of malware is so sophisticated, even the best security has a hard time catching it. Which means as a business you have to create as many layers of security as you possibly can, in case your antivirus fails. That means in addition to vulnerability scanning and malware removal, you should also have a web application firewall in place to block any malicious traffic and threats.
  • One of the best ways to minimize the impact of a breach is to minimize the amount of sensitive data you keep. You certainly shouldn’t be hanging on to credit card information or Social Security numbers (in the case of employees, though, that can be difficult), but even customer physical and email addresses can be of value to hackers.
  • Test your security constantly, and especially your website security, to make sure you catch and plug any security holes before the bad guys find them.

And just in case you don’t think your business could ever face the same kind of attack as Target, think about this. Every day at SiteLock we find thousands of websites that either have major vulnerabilities that could easily be exploited by hackers, or which have already been exploited and malware installed. It’s not worth the risk to wait and see if you’ll be next.

Google Author: Neal O’Farrell