A series of spectacular cyber attacks have breached big-name retail stores in recent months, including Target,Nieman Marcus, and Michaels. These incidents are the only latest in what has become an alarming trend.
In 2013, for example, the U.S. Department of Justice (DoJ) profiled a financial hacking scheme in which four Russians and one Ukrainian penetrated the computer networks of retail organizations. This series of attacks yielded more than 160 million credit card numbers — and cost corporations and consumers hundreds of millions of dollars. The cybercriminals sold the credit card data (which was stored on computers scattered around the globe) and sold it via hacker forums. They charged $10 for American cards and $50 for European cards.
The FireEye Dynamic Threat Intelligence™ team can confirm that the retail sector faces an increased risk from actors using point-of-sale (POS) malware to steal customer credit card data. Ongoing attacks against our retail clients align closely with the DoJ revelations and recent headlines. FireEye is actively tracking one financial threat group that we believe is associated with Russian and Ukrainian attackers.
FireEye has tracked financial cybercrime for many years.
In 2007, FireEye observed multi-stage attacks. These attacks typically begin with an SQL injection against a target’s Internet-facing systems. Next, attackers dive deeper into the compromised network, systematically finding and exfiltrating sensitive data. Finally, the attackers install backdoors in the network so that they can return at will.
In 2009, FireEye investigated the compromise of a major beverage retailer. In that attack, criminals obtained access to the retailer’s Internet server and cash registers. The attackers installed “The Perfect Keylogger” application to steal cardholder data. At regular intervals, malware sent stolen information to a File Transfer Protocol (FTP) site and AOL e-mail address. Afterward, the malware deleted itself and other evidence to frustrate forensics researchers.
Cybercriminals are highly creative, and they constantly invent new moneymaking schemes. In the U.S., for example, some attackers have simply hacked into a retailer’s Internet server and changed the shipping address associated with certain high-value orders. The unwitting retailer sends purchases bought with a stolen credit card to an unoccupied house, where a local “money mule” picks it up.
This scam has an immediate, tangible impact: retail losses from reversed credit-card charges. But such attacks also indirectly hit a retailer’s long-term bottom line through lawsuits, social media backlash, damaged reputations, and loss of consumer confidence.
At a minimum, FireEye recommends a twofold defense for retailers at risk from such attacks:
- Put a solid cyber incident response (IR) plan in place.
- Deploy a security platform that identifies both known and unknown threats, such as the zero-day attacks employed by advanced persistent threat (APT) actors.