Target-like attack unlikely against small retailers

Traditional security defenses that would have failed against sophisticated attacks like the one against Target are still necessary in protecting small businesses, experts say.

[Rising impact of Target breach indicates deeper hack into systems]

The malware used in the Target attack was built to avoid detection by anti-virus software and in fact eluded discovery by the more than 40 AV tools found on the site virustotal.com, the security blog KrebsonSecurity reported.

Such levels of sophistication used in attacks targeted at specific companies are unlikely to be used against small retailers, which need to build defenses against run-of-the-mill attacks against PCs.

Those attacks start with emails carrying malware or links to malicious websites. Once a system is compromised, the malware will typically look to steal credentials for online banking sites.

“The Targets of the world are going to be hit with customized malware that security software by and large won’t detect using traditional methods,” Christopher Budd, global threat communications manager for Trend Micro, said. “A small, medium-sized business will likely be targeted with something off-the-shelf that, in most cases, is well-known.”

In general, small retailers do not use POS devices, but instead use scanners connected directly to a card processor’s network. As a result, smaller retailers are more likely to be victims of credit-card “skimming attacks” in which special hardware is used to grab data before it gets sent to the network, Jason Fredrickson, senior director of application development at Guidance Software, said.

“I’d probably be more concerned about restaurants than small retailers, because more restaurants have POS systems,” Fredrickson said.

In the case of restaurants, the attacker is more likely to be an insider stealing credit-card information.

For small retailers and businesses, multiple layers of traditional security software are recommended, starting with applications that examine the content of email for spam and phishing attacks.

Other defenses would include anti-virus software and applications that prevent or warn computer users when they are clicking on a link that heads to a known malicious website.

The malware used against Target stole the financial and personal information of 110 million customers. The malicious code grabbed the data from the memory of Target’s point-of-sale devices as soon as customers swiped their debit or credit card. The theft occurred during the holiday shopping season, the busiest time for retailers.

The malware used in the attack is called BlackPOS, which is crude, but effective, crimeware, according to KrebsonSecurity. Criminals apparently compromised a Target Web server first and then managed to get the malware onto POS devices.

[CSO’s guide to the Target data breach]

The malicious code created a server on Target’s network for storing data before transmitting it to a virtual private server in Russia, according to security vendor Seculert. A total of 11 GB of information was transferred during a two-week period starting Dec. 2.