At about the period of Black Friday, the calendar years busiest and most profitable shopping period for retailers, employees at Target realized that the debit/credit card data in their servers had been breached. After preliminary internal evaluations on the severity of the breach, the employees informed the Justice Department and contacted a private contractor to help mitigate the effects of the attack.
The Justice Department invited the Secret Service as the official arm of government that investigates financial crimes, to conduct investigations. The matter was made direr by the fact that more than 110 million credit cards were exposed during the period of the hack. It turned out that 40 million credit/debit card shoppers at Target had had their personal as well as financial information stolen in one of the greatest cyber heist in the United States.
In the following essay, we shall look into the events leading up to the attack that could have exposed Target to attack by looking at their vulnerabilities, and the individuals who were responsible for the hacking. We shall then cover the event of the hack itself, and the results it brought both to the stores and in the country. Other stores and institutions that have been victims to cyber crimes of huge proportions shall then be our last topic.
The background of the attack
After rigorous investigations by law enforcement and cyber security experts, the verdict have been decided on a vendor being the originator of the attack. Specifically, Fazio Mechanics has been pointed to as the culprit, where a worker fell victim to a phishing email that contained malware, sent from the hackers but most probably in disguise.
The company used a free version of Malwarebytes; otherwise able anti-malware software, but being free, did not offer any real-time protection. Like most free software, it was unable to detect the malware as it got into the computers, where it lay for some time, waiting for the perfect opportunity to go to work.
The hackers must have determined that the perfect way to access Target database would be to piggy-back on a third party access authorization, and it is possible that Fazio was chosen as the most vulnerable to allow them access before the attack was launched. So with the malware already in their computers, the malware had to hibernate until login details into the vendor portals were entered. This would allow the hackers to access the main database, the first step in the extremely simplistic hack.
At the time when the Fazio computers were used to access Target database, the hackers were able to get into the database. As an outer system with no access whatsoever to the financial and operational data of the company, the hackers had to breach the firewall in order to reach the real target of the attack- card numbers for the underground market.
Experts point to Ariba portal, a portal used by target employees to access data systems, as the system that was most likely used by the hackers to infiltrate the main system. This they were able to do by camouflaging as real data being transferred into the Target system. The firewall breached, the hackers were then free to access any part of the corporate network of the stores, the one used by higher level employees to access sensitive financial information on operations.
The next point of attack would then be the windows servers used at the POS terminals, in readying for the real heist of data worth millions of dollars in the underworld. By taking control of these servers, the hackers had completed the infiltration process, there was just one thing left to do to make it possible to transfer the data to their servers, where they could then be free to move it around as they pleased.
This is a point that is quite puzzling, because Target was actually very secure from cyber attack! Six months previously, the stores had purchased 1.6 million dollars worth of malware detection software from FireEye. The credibility of the software has never been questioned, seeing as it originated from the CIA, and had the Pentagon as another of its high-end clients. It also emerged after investigations that the software actually offered the highest quality of real-time protection to target cyber installations.
Like most US corporate, Target operates an overseas security operations office to perform the mundane job of monitoring data flows around the clock. These are the installations that report to head offices any anomalies that may need acting on. For target, its office was located in Bangladesh.
On November 30th, the FireEye software detected some anomalies in the system, and sent the highest level of alerts out. The Bangladeshi security office received the alerts and alerted the local Target security installation in Minneapolis. Despite multiple alerts, no action was taken to stop the attack or respond to the alerts.
The automatic function in FireEye that could have stopped the attack had been turned off by security personnel at Target, apparently because they were not very well acquainted with the software. This is the turning point of the attack, the one carelessness on the part of Target that single-handedly allowed the hackers to siphon off 11gigabytes worth of credit card numbers data.
At the point in which the Bangladesh office was detecting the attack, only one phase of the attack was incomplete. Having created an entry point, the hackers needed a point-of-exit for the data they were just about to steal. What the software detected was the malware being planted into Target servers that created a backdoor for data stolen to be moved out of them.
The malware linked to US servers being controlled by the hackers, which in turn linked to servers in the Eastern Europe, Russia in particular. A hosting services provider in Moscow was questioned in relation to the domain used by the hackers to move the data into their servers.
Despite being secure from all forms of cyber harassment, thanks to a wonderful anti-malware software installed previously, Target was no under attack. Starting from December 2nd, data flowed out of Target servers into remote servers somewhere in the United States, before it moved from there to Moscow.
The malware used to access the POS system at the terminals to extricate the data has been discovered to be Trojan POSRAM. This hybrid virus malware targeted the Random Access Memory that holds the data of real-time swiping of cards at the terminals of numerous counters in close to 2000 stores.
After decrypting the information scanned into the system, the Trojan was then engineered to send that data to a temporary host inside the network of Target. This enabled the Trojan to access even those servers that were not connected to the internet and also helped further in concealment of the data-theft operation.
The dumped data would then be sent to another remote server where the hackers could freely transfer it at their desired time and design into the black market. The data was transferred out of the servers during the day, at the peak shopping period when the exodus could be concealed in the normal flow of data traffic around the servers.
Effects of the hack
The employees at the store did not discover the ongoing attack until December 12th, after several complaints from former customers prompted a check. The Justice Department was then contacted, with iSIGHT Partners being the cyber security firm hired to mitigate the effects of the attack. The public was not notified until a blogger posted on his website about the news, with the stores management announcing publicly on December 15th that shoppers details had been exposed to hackers.
In the period following the announcement, several banks advised their customers who shop at Target to be wary of any contact by anonymous people asking for personal details. Some advised their card holders to change their PINs, even as many reported mysterious charges in their accounts through their credit/debit cards.
Target was forced to spend millions of dollars to organize consultation centers where affected customers could receive assistance on any concerns. To avoid a panic-driven slump in sales, the company announced that it would be giving a 10% discount to all card users at its stores. Nevertheless, the store recorded considerably lower shoppers in the period leading up to Christmas, with a 4-5% drop in sales volumes reported. This is even as other stores recorded higher sales from ardent Christmas shoppers.
As details continued to emerge in the follow-up to the investigations, the store found itself facing about 80 suits brought by banks that accused it of having lax security and customers who had suffered losses after the theft of their card details. Experts agreed that the hack was made possible by the electronic nature of the cards used by United States retailers, which are what the banks provide.
This is a less safe option compared to the chip technology used by European banks, which are must less susceptible to hacking. Use of chip technology has been resisted locally because of the high installation costs of the infrastructure needed to operate using them. Calls were increased to overhaul the banking system and revert to the chip technology to protect customers from similar attacks.
As a show of confidence, Target Inc. announced that it would be investing 100 million dollars in a payments system that would enable the use of chipped cards. This expenditure came in the wake of more spent in damages to customers and partners, with card holders receiving a total of 10 million dollars in damages.
This was keeping in line with promises made prior to the suit that card holders would not suffer losses from actions resulting from the theft of their financial information, with that cost being shouldered instead by the dealer.
In the one month after the hack, the shares of Target held mostly steady, neither dropping nor increasing. This is an indication of investor confidence in the retailers ability to withstand an attack of the magnitude it did. Apart from the slight drop in shoppers, not much else changed at the store either.
The software provider FireEye, on the other hand, benefitted greatly from the reported stellar performance of its software. A month after the hack was made public; its shares had more than doubled in value. This was prompted by the spike in demand for anti-malware software by other corporate to avoid a similar attack and a surge in investor confidence in the company, leading to a healthy demand for its shares in the bourse.
Investigators who responded to the initial alert from Target had hit pay dirt not long after investigations began; they found dumped data in local servers which had been used by hackers to as a conduit of data from Target to Moscow. This data gave the Secret Service crucial data that enabled them to start a worldwide manhunt for the hackers that lasted months and turned up crucial information and insight into the hacking.
The greatest impact of the hack, however, is the Congressional it prompted into the conduct of executives before, during and after the attack. A months long inquest followed in which Senators listened to the accounts of the hack in great detail. There was collective anger on the casual manner in which sensitive data on credit cards was treated, and more promises of changing the system of banking to use chip cards rather than the more vulnerable magnetic technology.
After the highly publicized hearings, the Chief Information Officer at Target resigned from his position. The CEO of the company also resigned not long after, in a raft of restructuring measures that were prompted by the great losses suffered by the company. Other measures that were di...
If you are the original author of this essay and no longer wish to have it published on the SuperbGrade website, please click below to request its removal: