Thursday, January 16, 2014

Target Data Breach Unveiled

By Cesar Ortiz-Trojan.POSRAM Identified As the RAM Scraper in the KAPTOXA Operation That Infected Target Stores

The US government in an effort to warn other point of sale merchants of the potential danger of  more attacks that will provide another wave of  "Target like" customer victims, have released an internal document where detailed insight of the methodology used by attackers of the Target data breach is revealed. The consulting firm iSIGHT Partners was one of the investigative contracted forensics experts. The US Department of Homeland Security released to merchants a joint Department of Homeland Security, USSS, FS-ISAC and iSIGHT report titled "KAPTOXA POS Report" where we get a look at an insight of the methods and tools used to hack Target. Hopefully, merchants will take notice and immediately take preventive measures.

The methodology used at Target was almost exactly as I predicted in our original exclusive December 26, 2013 “ The Target Stores Data Breach ” Yahoo! article, right after the hack. Journalist Brian Krebs was also right on target when he mentioned at that time that the hack might have been based on a known trojan virus called BlackPos that is readily detected by all anti-virus software. The updated modified version of BlackPos trojan used in the Target breach is named Trojan.POSRAM, this derivative is highly sophisticated in stealth features in order to hide to prevent detection. POSRAM is believed to have originated in Russia.

When we compile the information given by the report and the media, specially an article in the Wired publication named “The Malware that Duped Target Have Been Found”, we come close to figure out the order of events in the Target data breach. First, the merchant network system is infiltrated with the malware, possibly remotely, exploiting an opening in the system or by executing a simple human engineering exploit. The malware is a data scrapping tool that takes data from the memory of the point of sale terminal (POS) or what we know as the cash register. This tool will reside in the system and will store the stolen data inside the merchant’s servers. The tool will monitor the data in the files named “pos.exe" and "PosW32.exe”; these files contain the memory space that includes magnetic strip data of your bank card. In the Target's breach event it remained still for six days. That inactivity period is excellent to prevent detection.

The residing malware in the merchant creates a connection to an out of the premises server that receives and transmits data to the victim server. The outside server, can be located anywhere, in the world, and, queries the victim server at specific time intervals. This one was located in Russia. Some of the malicious scripts used have references in Russian language. If the local merchant time is for example between 10 AM and 5 PM, as it is used in the old BlackPos tool, then the data is deposited in an a  temporary NetBIOS share “host” folder created by the malware. This share folder is then accessed using file transfer protocol (FTP). Many more complex technical details have been found by the media in just a few hours after the release of the KAPTOXA POS Report. All the details follow the same pattern; surprisingly, modified known exploits where used at all times.

 KAPTOXA is the name given by investigators to the specific operation methodology and compilation of hacking tools in the Target data breach. Nothing in the KAPTOXA operation is out of the ordinary. Probably the other tools used in the hack are already known in the trade. It is not that the criminals used super sophisticated malware, it is the way and the timing they where used. The fact that known hacking tools where used will open the doors to a wave of lawsuits that will claim that the merchants could have prevented the hack; this is one of the reason that the government has taken the unprecedented steps of releasing some of the facts and data about the crime before even finishing the investigation. Merchants should verify their systems immediately. Victimized stores should consider making public their breach ASAP. The more time the notifications to affected customers passes by, the higher the lawsuit figures will be and more damage to the customer is made.

Two individuals from Mexico were arrested in McAllen, Texas with ninety six fraudulent bank cards in their possession. The suspects had used bank cards with account information matching the Target stolen cards of South Texas residents. After the shopping spree, the suspects left for Mexico. They entered the US again possibly, for another shopping spree. They where detained upon arrival. This event confirms that the stolen data is sold in the illicit market by regions. Criminals are maximizing the use of the stolen data by being very creative. Regardless of Target's downplay efforts to minimize the impact, a customer can be a victim of identity theft with the specific data stolen at Target.


Friday, December 27, 2013

Read my Article " The Target Stores Data Breach " in Yahoo!

Due to an exclusive world wide distribution rights agreement with Yahoo!, we are unable to publish the specific article above anywhere else. Please click on the article title below to read it in Yahoo!. We will continue publishing all our non exclusive articles on this blog. When we publish an exclusive rights article elsewhere, we will include a link here.

A Provocative View of the Event From an Industry Outsider

The Target Stores Data Breach



Comment by Cesar Ortiz, the article author: Looks it was right on the money when I categorize the Target Stores Data Breach as a “very serious criminal monumental detrimental event” in my article in Yahoo! above. Now, several weeks later after my article was published, we are finding out that the customer names, mailing address, phone numbers and emailaddresses were also compromised and that the impacted customers figure is now 70 million. Now more than ever contact your bank if you used any payment method other than cash at target during the date time frame and if you did, beware of postal letters, emails, phone calls  and IM’s, even if they don’t mention Target.

Friday, February 17, 2012

How Google Tracks Apple iPhone Users Browsing

By Cesar Ortiz
Google and other advertising companies have been following iPhone and Apple users as they browse the Web, even though Apple’s Safari Web browser is set to block such tracking by default. By default, Apple’s Safari browser accepts cookies only from sites that a user visits; these cookies can help the site retain logins or other information. Safari generally blocks cookies that come from elsewhere, but Google, Vibrant, MIG, and PointRoll circumvented Safari cookie blocking, according to tweets by Stanford researcher Jonathan Mayer and his subsequent Wall Street Journal article, and to related research done by the Wall Street Journal Staff.

When a user “googles” contents related to sites that have Google generated advertising in the web and clicks for anything related in the search engine results, it starts a user tracking sequence. As long as a user clicks in the results for any reason, Google detects the clicks using their code embedded in their “+1” button in the browser.


In software development terminology, the word container is used to describe any component that can contain other components inside.  Examples of containers include Java applets, frames and windows. Some are visible, others are not. In our scenario it is a frame with an invisible form to be filled out. Google's invisible container is called “iframe” (InLine FRAME).


This iframe structure is very common in the industry and allows content from one web site to be embedded into another. As a general rule iframes are visible windows or ads. As we have explained before, In Google’s scenario iframe is created as an invisible container with a “form to be filled out”. The invisible iframe that was received in the user’s computers sent a flag to Google that identified the user as an Apple Safari user in a PC, laptop, iPhone or iPad Touch. This is not usual. When someone wants you to fill a form, it is sent as a visible form, of course. But this technique tricked Safari.


When Google received the ID flag identifying Safari as the browser, it sent the invisible form to the user device. The user did not see the form, let alone fill it out, it was blank anyway, but Google code sent the blank invisible form to the user device Safari browser nevertheless. Once the form was sent, Safari behaved as though the user had filled something out intentionally, and the browser allowed Google to put a cookie on the user’s machine. One cookie, in invisible form was sent back blank and the other invisible cookie form had user traffic data capture code (not personal data). The cookies were temporary; the blank one was set to expire in 12 hours, and the other expired in 24 hours. The end result is that users wind up visiting sites that they did not selected.


Google’s Rachel Whetstone said the temporary cookie served to create a “temporary communication link between Safari browsers and Google’s servers.” She said “the goal was to ensure that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between a user’s personal information and the web content they browse”. Google said the company tried to design the +1 ad system to protect people’s privacy and did not anticipate that it would enable tracking cookies to be placed on user’s computers.


An Apple spokesman said: “We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.” An update to Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update.