The Target Breach: Another PR blow for antivirus software

POS malware used for Target attack whistled past endpoint security

I posted a blog earlier this week on the endpoint security market transition that ESG anticipates in 2014. ESG research already indicates that change is in the air --62% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) believe that traditional endpoint security software is not effective for detecting zero-day and/or polymorphic malware commonly used as part of targeted attacks today. Unfortunately for AV vendors, this perception will likely take another hit as more details about the Target breach are exposed. Why? Early information from Target and analysis from security insiders like Brian Krebs reveals: • A cybersecurity service provider named iSight indicates that the malware harvested card data in memory (i.e. “memory scraping”) at the instance when the cards were swiped as part of the authorization process. • The actual malware was probably customized to attack Target’s Windows-based POS systems in its US stores. The malware may have been based on (or similar to) a piece of code called, “BlackPOS” which probably comes from Russian or Ukrainian cybercriminals. It has now been dubbed “reedum” by Symantec researchers (as well as the POSRAM Trojan, Dexter, and vSkimmer by others). • It appears like similar attacks on POS systems took place throughout 2013, albeit at a lower scale than the Target incident. In fact, BlackPOS may have been marketed as early as March 2013 on cybercrime sites for $1800 (basic) or $2300 (feature-rich version). • Some reports indicate that NONE of the popular antivirus software programs are capable of detecting the POS malware. This in spite of the fact that the industry has known about similar malware for months or more. Allow me to repeat this: The industry knew about similar types of attacks and even identified comparable malware, but security software installed on POS systems (and most of our Windows PCs) failed to detect or block the malware from executing. We all know what happened to Target and as many as 110 million Americans as a result. Fair or not, stories like the Target breach can only exacerbate the perception that AV software doesn’t work anymore. So if Target used some type of application controls (from Bit9, Kaspersky, McAfee, Viewfinity, etc.) or advanced malware detection/prevention (from Cylance, Malwarebytes, Triumfant, etc.) it may have had a better fighting chance. The year 2014 isn’t even a month old but the pressure on the AV industry has already increased precipitously. Stay tuned, as the story could become dicier at anytime. ESG endpoint security guru Kyle Prigmore and I are monitoring events and will continue to report on what we learn.

Cybersecurity market research: Top 15 statistics for 2017