Data Breaches: What Retailers Need to Know About Malware

By Mark McCurley, IDT911 Consulting

And the hits just keep on coming. Retailers across the country are falling prey to cyber attacks, with one of the latest announcements coming from Michaels and its subsidiary Aaron Brothers.

Based on the information filtering out from Michaels, it appears the firm was a victim of an advanced persistent threat (APT) attack. APTs are based on malware that is specially coded by hackers to breach a specific target. The clincher is that APTs are also designed to be largely undetectable by most anti-malware applications. Even if the threat is recognized, it may be difficult to locate or remove.

In the case of the attack on Michaels, the malware is estimated to have been active in the system for about eight months. Consumers that shopped at Michaels between May 8, 2013, and Jan. 27, 2014, or at Aaron Brothers between June 26, 2013, and Feb. 27, 2014, are being advised to cancel their debit or credit cards and have their banks reissue new ones as a precautionary measure. In addition, victims have been encouraged to take steps to monitor their identity and credit accounts for potential fraud.

There are multiple methods hackers can use to transfer this type of malicious code to its target, including spear phishing e-mails that appear legitimate and trick an employee at the retailer into downloading the code into the network. Specifically how the attackers were able to successfully inject their malicious code into Michaels’s systems is unknown at this point.

Flashbacks to other hacks
For many in the retail sector, it’s nearly impossible to learn the details of the Michaels attack without having flashbacks of other recent incidents. Consider the massive Target breach in late 2013. Malware was the culprit in that incident as well, with the retailer’s point-of-sale (POS) data being funneled out through a compromised vendor connection.

The Target attack lasted 19 days — which seems to pale in comparison to the duration of the Michaels breach — but it occurred during the holiday season when registers were ringing up purchases at a frantic pace. The scope was tremendous, with Target estimating up to 70 million individuals may have been affected.

Neiman Marcus also suffered a data breach in 2013. For just over three months hackers siphoned off POS data using malicious code inserted into the retailer’s systems. The sophisticated attack is still being investigated, but so far little has been revealed about how the hackers gained entry to the system and precisely when much of the data was removed.

Why the hack could happen again
The first lesson retailers should take from the growing list of POS-based data breaches is that it could happen again. Whatever the root cause of these hacks, many retailers are scrambling to bolster their network security defenses by implementing additional layers of advanced threat detection systems. These can potentially detect previously unknown malware such as that used to steal data from Michaels and others.

Unfortunately, even when malicious code is detected retailers aren’t always able to eradicate it quickly or completely. Tens of thousands of alerts were triggered during the Neiman Marcus breach, but the level of automation and the sheer volume of administrative alerts processing through the systems made actionable detection difficult.

Cyber thieves are also getting better at crafting sneaky code and finding security weaknesses to exploit. In the case of Neiman Marcus, systems were deleting instances of the malware but the hackers found a way to quickly reload it. A compromised server was their pathway into the network. It provided them with a remote door to the inside of the systems that held valuable data as well as a route around many of the security measures that existed.

What retailers can do to mitigate risks and bolster security
Hackers are working to root out and take advantage of every security gap in retailers’ POS systems and networks. They’re actively targeting weak administrative passwords, vulnerable infrastructure components, unsecured (but trusted) external connections, and old-fashioned social engineering. Increasingly clever methods are being employed to install malware, but in many cases they’re unnecessary. Weak spots in the armor often provide all the invitation hackers need.

There are steps retailers can take right now to improve security around POS systems and associated networks, and most are inexpensive and relatively easy to implement.

• Require strong passwords or multi-factor authentication for POS administrative access and accounts.
• Restrict outside access to POS systems wherever possible.
• Completely disallow remote access unless it’s absolutely necessary.
• Update all POS software application using the latest security patches.

Marc McCurley, senior information security advisor at IDT911 Consulting, has more than 24 years of experience in information technology and security. During the last decade, his career has centered on information security, risk management and compliance for customer information systems that are required to adhere to commercial, federal and DoD regulatory compliance mandates and directives. He has developed security programs and has been directly responsible for ensuring customer information systems successfully passed IT security and compliance audits. Mark most recently worked in a senior role for Sony where he was responsible for their vulnerability management and risk assessments platform. He can be reached at

More Web Exclusives/Guest Commentaries



Login or Register to post a comment.