January 20, 2014

"TAR-JAY shoppers Targeted... by KAR-TOE-SHA."

Have you heard about the potato/kaptoxa?


rhhardin said...

Use virtual credit card numbers.

You generate one from your account, give it to the merchant (online), and it's only good for the first merchant that uses it.

Which means that when stolen it's useless, unless the thief tries to use it at the same merchant, unlikely.

Complication : Amazon (for instance) charges from different names, so you have to keep straight which number works with which kind of purchase.

1. Pure Amazon

2. Third party seller

3. Amazon prime renewal

are the three I know of.

gadfly said...

Christian Science Monitor headline:

"Target, six other retailers apparently no match for Russian teen’s 'potato' hack"

Of all people, Meade must know that the "potato hack" is a diet.

Tibore said...

That CSMonitor story is a bit out of date. Some updates:

1. It's correct that the trail led to a Russian teen, but it not only doesn't stop there, it's probable that he was only a minor participant. IntelCrawler has now tabbed a different Russian named "Rinat Shabayev" as the person responsible. The confusion resides in the fact that the "Shabayev" person is the actual human behind the nickname "ree[4}" with Sergey Tarasov/Taraspov being mis-ID'd as such. The 17 year old is still attached somehow, but it's not clear yet how.

2. It's an oversimplification to say the "standard malware" package was "tweaked". To be more clear, it was purposefully designed to escape then-current detection.

3. While the author(s) of the malware likely wrote the a similar package that was responsible for the Neiman Marcus compromise, the actual execution of the compromise may have been carried out by a different party than the Target intrusion. This is based on the fact that the FTP server ID'd as a middleman in transferring the stolen data from Target had no data at all belonging to Neiman Marcus. Furthermore, if initial reports are accurate, the Neiman Marcus compromise may have happened first, back in summer 2013. None of that rules out a relationship beyond the malware authors, but it does indicate an independence between the two events.

4. The CSMonitor story also for some odd reason leaves out the fact that the attack vector was known to be through a compromised web server. The specifics of how the web server was leveraged to attack Targets internal network are not yet public, but once internal access was gained, the POS compromising malware was then distributed to all the POS registers it could reach. That was only for the payment card data; no details have yet emerged on where the intruders got the email and physical addresses of customers (that is not part of a credit card's mag stripe data).

Multiple sources for all of the above: Brian Kreb's blog and Twitter account, Crowdstrike's blog, McAfee Labs' blog, iSightPartner's website (but the specific page I read last week went missing for some reason... probably behind a paywall now or something), and a few other IT Sec sites I can't remember at the moment. I'm not linking because Blogger for some odd reason dumps my posts when I do that, and it doesn't always end up in the spam quarantine area for Professor Althouse to release.