Target credit card data was sent to server in Russia

The data was quietly moved around on Target's network before it was sent to a US server, then to Russia

Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server.

Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server.

The stolen credit card numbers of millions of Target shoppers took an international trip - to Russia.

A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history.

Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks.

"The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity," according to a January 14 report from iSight Partners, a Dallas-based information security company.

Over two weeks, the malware collected 11GB of data from Target's POS terminals, said Aviv Raff, CTO of the security company Seculert, in an interview via instant message on Thursday. Seculert analyzed a sample of the malware, which is circulating among security researchers.

The data was first quietly moved to another server on Target's network, according to a writeup on Seculert's blog. It was then transmitted in chunks to a U.S.-based server that the attackers had hijacked, Raff said.

Logs from that compromised server show the data was moved again to a server based in Russia starting on December 2. Raff said it's difficult to say if the attackers are based in Russia.

"No one knows who is really behind this," he said.

ISight is working with the US Secret Service to look into the Target breach, which compromised payment card and personal details of up to 110 million people between November 27 and December 15, 2013, the busiest shopping time of the year.

A US Department of Homeland Security spokesman said Thursday that a separate, private report with input from iSight and government agencies on the Target compromise could not be publicly released.

Target has not revealed how intruders breached its network but said that its POS terminals were infected with malware.

In its January 14 analysis, iSight wrote that the "Trojan.POSRAM" malware collected unencrypted payment card information just after it was swiped at Target and while it sat in a POS terminal's memory. The type of malware it used is known as a RAM scraper.

The code of "Trojan.POSRAM" bears a strong resemblance to "BlackPOS," another type of POS malware, iSight wrote. BlackPOS was being used by cyberattackers as far back as March 2013.

At the time of its discovery, Trojan.POSRAM "had a zero percent antivirus detection rate, which means that fully updated antivirus engines on fully patched computers could not identify the software as malicious," iSight said.

Small code changes are often made to malware to make it undetectable to security products, which appears to have been done in this case.

Although Trojan.POSRAM and BlackPOS are similar, the Target malware contains a new attack method that evades forensic detection and conceals data transfers, making it hard to detect, iSight wrote on its website.

Target's problems point to the difficulties of defending large, Internet-connected networks, said Levi Gundert, a former Secret Service agent and now a technical lead for threat research, analysis and communications at Cisco.

"It's literally impossible to prevent unauthorized access to the network," Gundert said in a phone interview.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags TargetintrusionsecurityiSight Partnersdata breachSeculertdata protectionmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?