The malware that may have infected Target may also have affected a “large number” of other retail information systems, according to a report Thursday from security researchers and government officials.
A brief summary of the report, posted by the Dallas-based iSight partners security firm, said that a piece of malicious software known as KAPTOXA is targeting retailers’ point-of-sale systems. The company did not name specific retailers, but indicated that its investigation began on Dec. 18, the day before Target first announced that a breach had affected as many as 40 million customers. The company later broadened its estimate to say that the attack may have compromised the information of up to 110 million customers.
The report indicates that the malware is designed to “hook” into payment application programs to spy on the information they store in certain parts of the systems’ memory. When payments are authorized, that information must be decrypted, and the malware is able to identify and take that information.
The malicious software used in this attack bears strong similarities to other malware for sale on the Russian-language underground, specifically designed to attack retailer sale systems, the report said.
Parts of the attack on Target and other retailers — which the report did not identify by name — were technically sophisticated, the report said. What truly made the attack unique, however, was its level of coordination. Without offering much detail, the researchers said that the perpetrators of this attack “leveraged a variety of other tools” to break into targeted networks
“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” the report said.
The Department of Homeland Security has not made its report, which lays out what actions industry organizations can take to defend their networks, available to the public.
The department did, however, say that it continues to work closely with public- and private-sector partners to investigate this and other cyber threats.
“Information sharing is a key part of the Department of Homeland Security’s (DHS) important mission to create shared situational awareness of malicious cyber activity,” DHS spokesman S.Y. Lee said in a statement.
The report from iSight indicates that KAPTOXA was derived from another type of malicious software that affects store registers called “BlackPOS.” Cybersecurity reporter Brian Krebs noted that similarity Wednesday, saying that the malware used in the target attack bore similarities to that software, which he called a “relatively crude but effective” piece of software sold to cybercriminals on software forums.
These malware kits, cybersecurity experts have said, have made it easier than ever for criminals with less sophisticated skills to conduct major attacks.
“It used to be that you had to have a sophisticated nation-state funding” to execute this kind of attack, said Dave Burg, Global & U.S. Advisory Cyber Security Leader at PricewaterhouseCoopers. “We’re now seeing a commoditization which results in the increased likelihood of attack.”
Follow The Post’s new tech blog, The Switch, where technology and policy connect.