Target * POS Attack

Post Reply
User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Target * POS Attack

Post by Royal » Fri Jan 17, 2014 6:44 am

Point-of-sale malware infecting Target found hiding in plain sight
KrebsOnSecurity's Brian Krebs uncovers "memory-scraping" malware on public site.


Independent security journalist Brian Krebs has uncovered important new details about the hack that compromised as many as 110 million Target customers, including the malware that appears to have infected point-of-sale systems and the way attackers first broke in.

According to a post published Wednesday to KrebsOnSecurity, point-of-sale (POS) malware was uploaded to Symantec-owned ThreatExpert.com on December 18, the same day that Krebs broke the news of the massive Target breach. An unidentified source told Krebs that the Windows share point name "ttcopscli3acs" matches the sample analyzed by the malware scanning website. The thieves used the user name "Best1_user" to log in and download stolen card data. Their password was "BackupU$r".

The class of malware identified by Krebs is often referred to as a memory scraper, because it monitors the computer memory of POS terminals used by retailers. The malware searches for credit card data before it has been encrypted and sent to remote payment processors. The malware then "scrapes" the plain-text entries and dumps them into a database.

http://arstechnica.com/security/2014/01 ... ain-sight/
Their password was "BackupU$r"

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Target * POS Attack

Post by Pigeon » Fri Jan 17, 2014 8:52 pm

Someone got a conscience or a payday.

"All your numbers belong us" - Best1_user

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Target * POS Attack

Post by Pigeon » Thu Jan 30, 2014 2:13 pm

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas based BMC Software — includes administrator-level user account called “Best1_user.”

This knowledge base article (PDF) published by BMC explains the Best1_user account is used by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt.

Krebs went on to quote a part of the BMC article that said:

Perform Technical Support does not have the password to this account and this password has not been released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.

Krebs asked BMC if "BackupU$r" is the password that controls access to the "Best1_user" account. Company representatives have yet to provide an answer.

Link

Fat cats screw up.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: Target * POS Attack

Post by Royal » Fri Jan 31, 2014 3:11 am

Holy shit.

I knew something was odd with that password.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Target * POS Attack

Post by Pigeon » Fri Jan 31, 2014 2:10 pm

See how this works. BMC has made a few people lots of money, in the capitalist tradition. Of course the responsibility for their flaw is passed on to someone else.

Target, are you not glad you selected super-mega, fast talking, software people for your project. Nearly on parallel with Accidenture.

Post Reply