The now-infamous Target data breach exposing customers’ personal and financial information appears to have occurred in two distinct stages, with a nearly weeklong pause between the first and the second phases, a data-security company disclosed Thursday.
Seculert, based in Silicon Valley, said it has identified and scrutinized the malware that was used to compromise client data in what is being described as the most serious such data-security breach in U.S. history.
The malware initially compromised the Target point-of-sale equipment that reads customers’ cards and extracts financial and personal information from them, according to an analysis by the security company’s research lab.
After a six-day pause, a second phase in the attack hijacked a separate, also-infected system within Target to transmit the hijacked clientele data to an exterior server, according to Seculert.
Such transmissions occurred several times over a two-week period starting Dec. 2, it said.
That is also when the cybercriminals used a second server located in Russia to shift the data from the first server before it was made widely available for illegal purchase online.
Seculert detailed its analysis Thursday in a blog post at bitly.com/Seculert.
Minneapolis-based Target first disclosed the data breach last month, at the height of the holiday shopping season. It said then that debit- and credit-card data from up to 40 million customers were compromised. It then said on Jan. 10 that a separate attack stole data from up to 70 million more customers.
Security experts expressed little surprise at the criminals’ multi-pronged strategy as described by Seculert.
“I’m not surprised by the two-stage attack on Target,” said Dipto Chakravarty, executive vice president of engineering and products at Florida-based ThreatTrack Security. “Cybercriminals want to gather all the data first, then in a few motions, download the data. It’s a very common attack pattern and likely to become increasingly so.”
Vincent Berk, chief executive at New Hampshire-based FlowTraq, called this approach “very crafty, and a sign of things to come.”
Malware specifically targeting point-of-sale systems “has been around for a few years and getting more advanced daily,” said Neal O’Farrell, director of California-based Identity Theft Council. “If the POS is not only where credit and debit cards are being collected, but where (their data) is unencrypted and in plain text, it’s the ideal place to attack.”
The holiday data breach at Target Corp. appeared to be part of a broad and highly sophisticated hacking campaign against multiple retailers, according to a report by iSight Partners Inc., a Dallas cybersecurity company working with the U.S. Secret Service and the Department of Homeland Security.
In some of the first details to emerge about the source of the attack, the report said parts of the malicious computer code used had been on the online black market since last spring and were written partially in Russian. In addition, the computer code that infected Target’s payment card devices couldn’t be detected by any known antivirus software, according to the report.
Target officials are expected to testify in early February in Washington on the breach, according to a release from the House Commerce, Manufacturing and Trade Subcommittee.
Dow Jones Newswires contributed to this report.
