Compromising Target: Latest Data
A few weeks ago it became known about a large-scale compromise of customers of the American retail corporation Target. The attackers managed to install malicious code on computers that are connected to payment terminals (POS, Point Of Sale) of purchases using credit cards. As a result of a well-planned operation by attackers for the implementation and operation of malicious code, the confidential credit card data of more than 50 million users were compromised. In addition, a little later , information appeared that attackers gained access to such confidential information of Target customers and employees as email addresses and phone numbers.
To steal credit card data, we used tools that are popular with carders, for example, memory-grabber, to extract information from the memory of the desired process when performing a transaction. One of the first to provide detailed information about the new malicious code was iSight . A new malicious code called Trojan.POSRAM (iSight). ESET anti-virus products detect it as Win32 / Spy.POSCardStealer.R , Win32 / Spy.POSCardStealer.S , Win32 / Spy.POSCardStealer.T (Symantec: Infostealer.Reedum.B , Microsoft: Trojan: Win32 / Ploscato.A ). This malicious code was written specifically to compromise POS, but the attackers also used other tools known as greyware or HackTool to perform certain operations (among them was the quite legitimate Sysinternals PsExec tool with a valid digital signature). This indicates that they had remote access to compromised computers (backdoor).
')
A few days ago, the company IntelCrawler , which is based in California, spread to the media information that a resident of St. Petersburg was involved in the development of the Trojan.POSRAM code. IntelCrawler nicknamed this malicious code KAPTOXA, i.e. the word abbreviated from "potato", which is written in Latin. The company's report states that attackers initially used this word to name their malicious code.
The scale carried out by the attackers is impressive. Earlier, Target announced attacks on its systems in the fall of the past year; it is quite possible that this was the initial intelligence for conducting an operation to install malicious code.
To steal credit card data, we used tools that are popular with carders, for example, memory-grabber, to extract information from the memory of the desired process when performing a transaction. One of the first to provide detailed information about the new malicious code was iSight . A new malicious code called Trojan.POSRAM (iSight). ESET anti-virus products detect it as Win32 / Spy.POSCardStealer.R , Win32 / Spy.POSCardStealer.S , Win32 / Spy.POSCardStealer.T (Symantec: Infostealer.Reedum.B , Microsoft: Trojan: Win32 / Ploscato.A ). This malicious code was written specifically to compromise POS, but the attackers also used other tools known as greyware or HackTool to perform certain operations (among them was the quite legitimate Sysinternals PsExec tool with a valid digital signature). This indicates that they had remote access to compromised computers (backdoor).
')
A few days ago, the company IntelCrawler , which is based in California, spread to the media information that a resident of St. Petersburg was involved in the development of the Trojan.POSRAM code. IntelCrawler nicknamed this malicious code KAPTOXA, i.e. the word abbreviated from "potato", which is written in Latin. The company's report states that attackers initially used this word to name their malicious code.
The scale carried out by the attackers is impressive. Earlier, Target announced attacks on its systems in the fall of the past year; it is quite possible that this was the initial intelligence for conducting an operation to install malicious code.
Source: https://habr.com/ru/post/209674/
All Articles