Target breach takes shape: Hints at malware and hackers

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By Devin Coldewey
A customer uses the credit card scanner at a Target store; the software running on this POS system was compromised by hackers.Joe Raedle / Getty Images

The massive security breach at Target that some are calling the biggest in history is slowly emerging from the mystery with which the company has been careful to shroud it. Security blogs are piecing together a picture of the hackers and the software they used to swipe data from tens of millions of customers — but much is still unknown.

According to information posted by Brian Krebs, the security expert who broke the story of the breach to begin with, the attack appears to have been done with malware for sale on a forum frequented by hackers. This software sits inside the point of service (POS) device and logs every credit card going through. It's not an uncommon type of attack, but the scale is unprecedented.

Krebs cites sources "close to the Target investigation" as saying that the hackers compromised the security of a Target web server, then somehow parlayed that breach into access to the company's internal network — from which they could distribute the malware to all vulnerable POS devices. Further research by Seculert puts dates on when machines were first infected, and CrowdStrike uncovered records indicating someone at Target noticed the malware as early as Dec. 11.

An aging, Windows XP Embedded-based POS operating system with insufficient virus detection capabilities may be at fault, but the malware, a variant of a known bit of card-skimming software called BlackPOS, appears to have been carefully modified to avoid detection by existing security software.

The hackers then had a network of compromised POS units logging credit cards all day, and could retrieve that data from the Target internal network whenever it was convenient to them. In a scan of Target's systems uploaded to (and subsequently removed from) security site, the hackers' login name and password ("Best1_user" and "BackupU$r") can even be seen.

Target may not be sharing the rest of the details publicly, but they are cooperating with the U.S. government, which according to a Reuters report sent out a 16-page document Thursday to other retailers describing the techniques used in the breach.

And who are these masked men? Security Affairs got hold of a video demonstrating how to operate the malware in question — no doubt intended for users. But the hacker hosting it briefly and irresponsibly reveals a webpage in the background showing what is presumed to be his profile on VKontacte, Russia's biggest social network.

This surprising lapse of operational security has led to the identification of, if not the hackers themselves, then at least their nationalities and some pseudonyms under which they are operating. They appear to be Russian and Ukranian, and the leader goes by the name "Wagner Richard" — though that may only be a clue that he enjoys the opera.

More details will surely come to light when the government's memo leaks (as such documents often do) and when more forensic analysis has been done on the software used in the hack. Target is also scheduled to testify before Congress in the near future.

If you think you might have been affected, there are a few simple steps you can take to minimize your risk — and since the full extent of the breach is not yet known, it might be best to be proactive.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is