The hacking of Target servers to obtain millions of passwords and credit card numbers may have been the most successful
in U.S. history, but the worst may be yet to come, warns the FBI.
The nation's top law enforcement agency is warning companies that deal with massive amounts of consumer data that is on the rise, citing some 20 attacks on big companies in the past year. Target saw more than 40 million credit and debit card records affected during the holiday shopping season by its breach, and the personal information of 70 million customers was also compromised. Luxury retailer Neiman Marcus announced this week that 1.1 million of its accounts were compromised by hackers in the middle of last year.
Just Scraping the Surface
A Jan. 17 report sent to big data companies, "Recent Cyber Intrusion Events Directed Toward Retail Firms," was obtained by Reuters news service. It warns that the attacks involve RAM scraping at the point of service (POS), in which data from the magnetic card swipers at stores can be stolen during the brief time the data is in a computer system's memory before it is encrypted.
"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI warned in the report, as quoted by Reuters.
Calls to the FBI's New York media office regarding the report were not returned in time for publication.
Crime targeting big data is expected to be a major issue of 2014, and not only in the United States. Germany recently saw a major e-mail breach and South Korea saw a counterfeit credit card scheme affecting some 60 million accounts.
Hackers don't only engage in this activity firsthand, but design so-called root-kits to sell to others. Some experts believe the Target hacking was accomplished using off-the-shelf malware coded by a pair of Russian teens, who then sold the malware to the cybercriminals who used it on Target.
The FBI's report, Reuters said, delves into the threat of the growing malware market, citing a program called Alina that can be remotely updated to evade detection and removal, which has been offered for sale for as little as $6,000, a small investment considering the potential net gain in illegal profit.
"The high dollar value gained from some of these compromises can encourage intruders to develop high-sophistication methodologies, as well as incorporate mechanisms for the actors to remain undetected," the FBI said in the report.
Chester Wisniewski, senior security analyst at Sophos, told us he was glad to see the FBI being proactive on this issue.
"We have been writing about this malware for over three years, hoping to help raise awareness among merchants and provide tools and advice to protect them as well," he said.
"While the FBI may only be hearing of a few cases, we are detecting malware similar to the Target malware more than 150 times every week."
He said Sophos would present a demonstration about the malware at the coming RSA security conference.