Target Post Mortem: Exposure of the Soft Underbelly of Point of Sale Systems

January 22, 2014
No Comment

By WayneWheeles

Editor’s note: Wayne Wheeles has established a fantastic reputation as a pioneer in applying big data solutions to enterprise cyber security mission needs. -bg

Much like the Lufthansa heist of 1978, the recent Target data breach has captured the attention of the American people; focusing them on the incredible threat potential posed by cybercrime. It always seems to take some form of galvanizing event such as this to focus attention on the point of service (POS) technologies and associated risk. These moments do not last long so it is imperative that the “teachable moment” is not lost and that lessons are learned by all retailers big and small.

Some limited details are starting to emerge related to the Target data breach. As always these articles represent my opinions and research; I will attempt to tie some of the different threads that have emerged related to the data breach that occurred in late 2013.

In thread one, the victim organization recently performed and infrastructure refresh which moved to a two servers per store. These two Microsoft servers provided a platform for managing point of sales (registers/scanners) and inventory management connect to a central hub. Each night, software updates propagate from upstream data centers out to stores and down to each device in the store. This update cycle occurs at night so that there is no interruption of the business cycle during the day. There appear to be no “on-hand” IT personnel working at each store; these services are provided by a local external service provider.

In thread two, we are introduced to the potential culprit: Kaptoxa which is a purpose built form of malware for targeting POS systems. Kaptoxa is a form of malware classified as a memory scraper which retrieves magnetic strip data (credit card/debit card, track 1, track 2) while it is resident on a POS system (card reader) memory which based on my understanding is not encrypted until persist (write/save). The collected data is shared via a temporary NetBIOS share to another compromised machine which performs the exfiltration multiple times a day via FTP. To recap Kaptoxa:  propagates, infects, collects, packages and finally transmits collected data. Newer variants of Kaptoxa are tailored to avoid detection by anti-virus software.

Bringing the threads together, there remains some mystery remaining regarding the deployment stage of the Kaptoxa Trojan into the victim network. This detail will be revealed in time as the investigation moves forward. The current speculation seems to focus on the potential of an infected update being deployed from the central hub outlined in thread one down to the POS systems in the stores. When cards were scanned at the stores, Kaptoxa captured both track 1 and track 2 data; which was stored, shared and then ex-filtrated. A total of over 10G of information was ex-filtrated over a two week period.


11/27 – Kaptoxa is in place on infected platforms; begins collection

12/2 – 12/16 Kaptoxa performs exfiltration using FTP

12/2 – 12/16 Attackers utilize Virtual Private Server (VPS) to download information

12/15 – Victim identifies malware on POS systems

12/18 – Investigation begins, Kaptoxa is identified

The breadth and planning and execution of this attack demonstrate an incredible degree of sophistication and choreography. As further details emerge, I will write additional articles that focus on lessons learned and potential proactive measures that organizations both large and small can implement to prevent these types of issues in the future.


Please note that my views are my own and not that of my employer or clients; I perform work as an analytic, modeling and services developer for Syntasa ( which is an awesome firm. Syntasa is the industry leader in the area of Decision Science as a Service; specializing in derivative data products, statistical models, streaming models, analytics and enabling platforms. Follow us on twitter at @SYNTASACO and me at @WayneWheeles