Since December, a rash of hacks have hit retailers, a major bank, and even a gourmet sandwich chain. Target, Home Depot, JP Morgan Chase, and Jimmy John had complex malware unleashed into their systems. Over 100 million customers saw their credit cards boosted by cyber thieves, along with home addresses, Social Security numbers, and other personal data. Much of the card information ended up for sale on cyber black markets like Rescator.cc.
Indeed, cyber researchers have seen a sea change in the potency of malware over the last five years. Gone are the days when 56-bit or 128-bit encryption was enough to defend corporate firewalls against hackers who launched frontal assaults. Now, cyber sleuths say the complexities of new malware means viruses are entering through vulnerable back doors, coursing undetected through system networks for months at a time, giving the thieves plenty of time to steal customer and corporate data.
“It’s war,” said Chief Technology Officer Andrew Rolfe of Authentify, a Chicago-based cyber security company that specializes in user authentication protection. “And it’s a war that is going to continue for some time.”
“Hackers clearly have the upper hand on retailers. Not only because retailers aren’t being proactive about security, but worse, they’re not even being reactive to put the right safeguards in place,” said Eric Chiu, President and co-founder of cloud security outfit Hytrust.
“We’re seeing essentially the same types of breaches happening over and over at an alarming rate,” he said. “Most of these breaches involve insider threats, where an attacker is able to use advanced techniques, or APTs, including social engineering and phishing, to steal credentials and gain access to company networks.”
Rolfe, who studies breaches closely, agrees. He told VentureBeat that today’s attacks are multi-layered, meaning the damage comes in stages. It may start with a phishing scam that gets the hacker entry into company email servers. This gives the hacker a road map of the system architecture. Finally, using remote commands, the hacker can direct the malware to begin vacuuming customer data, like credit card numbers.
“The skill set of the hackers is evident in the source code. 60 to 70 percent of malware is copied from existing strains. Where the creativity lies now is in the masking and hiding of the malware within the systems, that often can’t detect it. The malware is constantly being adjusted in order to stay ahead,” Rolfe said.
Indeed, the hackers, likely operating in Russia and Ukraine, at least in the cases of Target and Home Depot, have more than enough time to study their targets before launching their attacks. Using Google search, hackers can discover what kind of system architecture they’re up against and what code is underwriting it. And they practice, again and again, without time constraints, until satisfied they have what it takes to crack the encryption.
Bryan Kenyon is the chief tech strategist for McAfee, the anti-virus company owned by Intel and based in Silicon Valley. He makes his living thinking about methodology to thwart hackers who see targets like big dollar signs.
“If you go back 10 years, nobody thought of putting a firewall in front of a manufacturing device. I will tell you that while the malware may not always be sophisticated, [the hackers’] approach, and understanding of their targets, is. It’s more sophisticated than we’ve ever seen before, ” Kenyon said.
“The criminals understand what protection is running on that system, and they design [their malware] to evade it. So your normal controls aren’t seeing it. The traditional controls used for PCs, like anti-virus, aren’t enough. I don’t think it’s the retailers doing wrong. But we’re not dealing with the normal cash registers you and I grew up with,” he said.
In June, hackers thought to be operating in Russia penetrated the data centers at JP Morgan Chase & Co and vacuumed troves of credit card numbers and personal customer information for two months until an internal security audit discovered it. The attack was done frontally, that is, a likely phishing scam that gave the cyber thugs entry behind the firewalls of the company through their websites once employees simply clicked a link in an email.
The suspected Russian connection bears watching. That’s because security experts and intelligence officials believe Russian government agencies have at least an indirect hand in the attacks. Perhaps as retribution against American-led sanctions placed on Putin and company for their military foray into Ukraine over the summer. Relations between the U.S. and Russia are at their lowest point since the Cold War ended in 1989.
Either way, the hits keep coming, and each bit of malware is growing more powerful and stealthy than the one preceding it. And because most of the security protocols companies use aren’t actively searching for signs of an attack, their security teams are being caught flat footed. With devastating results.
“This is not new protocols, new encryption, it’s all the same stuff we’re using everywhere else. It’s just our detection systems aren’t looking where the bad guys are operating. And when we are looking, we’re not looking for the right things. If they know what we’re looking for, they are not going to leave traces where we can find them,” said Synack CTO Mark Kuhr, who spent three years hacking cyphers for the National Security Agency before starting his own Google Ventures-backed security play.
As forensic examiners were still cleaning up the mess at JP Morgan, tallying the carnage, a press release from retailer Home Depot dropped on September 2. It was scant on details, and in it, a press spokesperson, Paula Drake, declared that cyber investigators, including the Secret Service and Symantec, were looking into a possible breach of their systems. The release stated only that an investigation was underway. The release sent to reporters that day read in part:
“At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further. We will provide further information as soon as possible.”
Incredibly, despite the army of investigators poring over code, the company too eight days to admit it had been the victim of a serious breach. On September 8, as the Atlanta-based home improvement chain sweated bullets and fielded an increasing chorus of calls by reporters, another release dropped. It lacked technical details of the hit and who may have been behind it, but it did urge anybody who had shopped at one of the chain’s U.S. or Canadian 2,200 outlets to scrutinize their credit cards for fraudulent activity.
It later turned out that Home Depot’s breach had occurred in April. It was only when September rolled around that banking partners began to alert the company that cyber criminals were dumping millions of credit cards traced to the retailer on the black market.
Again, a press release finally admitted what many in the cyber security community had already suspected for days:
“The Home Depot today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.”
In the end, Home Depot admitted that 56 million customer credit cards had been stolen — the biggest breach ever against an American retailer.
Malware doesn’t discriminate
And to illustrate how malware doesn’t discriminate, executives of security companies in the Bay Area came forth and said they too, had been victims of the Home Depot breach. In fact, when I recently spoke to Malwarebytes Chief Executive Marcin Kleczynski, he was busy canceling a credit card he’d used at the retailer.
For Kuhr, the former NSA crypto hack, Home Depot was proof that security at these companies was asleep at the switch. Buried behind firewalls and not looking outside. Many called out Home Depot Chief Frank Blake for not getting in front of the scandal.
In the end, cyber experts said, it didn’t matter. The damage was done. And, as it turns out, Blake was retiring from Home Depot November 1 anyway.
“You need to think differently. Just having a traditional security program where you audit the organization once a quarter and have the consultant come in and do his thing just doesn’t work anymore,” Kuhr said. “That’s just old school.”