Case Study: Attack on Target (2013)

[Professor]

Below is a detailed educational analysis of a real case of a cyber attack on the Target supermarket chain (2013). This incident is considered one of the largest and most significant in the history of cybersecurity and carding, especially in the context of vulnerabilities in POS systems, supply chain, and security monitoring deficiencies.

Case Study: Target Attack (2013)​

Educational Analysis of a Cyber Attack on POS Systems​

Date: November – December 2013
Victim: Target Corporation – the third largest retailer in the US
Scale: 40 million compromised bank cards, 70 million PII records
Damage: > $200 million (fines, investigations, compensation, loss of trust)
Attack type: Complex APT attack using POS malware (BlackPOS)

1. General attack scheme​

[1] Vendor Compromise → [2] Target Network Access → [3] POS Search and Infection → [4] Data Collection → [5] C&C Extraction

The attack lasted for more than 3 weeks, and despite the presence of detection systems, it was not stopped in time.

2. Stage 1: Initial attack vector - supply chain​

Purpose: Fazio Mechanical Services​

• It's a small contractor that provides climate control for Target stores.
• Had remote access to Target systems for invoicing.

How the compromise occurred:​

1. The attackers ( FIN7/Carbanak group, according to the FBI) sent a phishing email to a Fazio employee.
2. The email contained a malicious attachment (an Excel file with a macro).
3. The macro downloaded the Backdoor.Orcus trojan.
4. Through the infected PC, the attackers gained access to credentials, including login and password for accessing the Target portal.

Target Error: The vendor had direct access to the corporate network without multi-factor authentication (MFA) and segmentation.

3. Stage 2: Penetrate the Target Network​

What the attackers did:​

• Used stolen credentials to log into Target's VPN gateway.
• Gained access to the internal network, including the VLAN where the POS systems were located.
• Conducted reconnaissance:
  • Network scanning (Nmap-like actions).
  • Search for servers with POS management software.
  • Determining IP addresses of cash register terminals.

Critical error: POS systems were not isolated in a separate VLAN. They were on the same network as accounting and IT systems.

4. Stage 3: Infecting POS terminals​

Malware used: BlackPOS (aka Kaptoxa)​

Developed by FIN7 group. Features:

• Written in C++.
• Works in memory (fileless malware).
• Specializes in RAM scraping - searching for PAN in RAM.

How BlackPOS worked:​

1. The attackers uploaded malware to the central POS control server.
2. Through a legitimate software update mechanism, BlackPOS was sent to 1800+ terminals.
3. Malware was activated when a transaction was started.

RAM Scraping: How Data Was Stolen​

POS terminals (in hybrid architecture) temporarily stored PAN in RAM:

[Card] → [Read] → [PAN in RAM] → [Encryption] → [Send]

BlackPOS:

• Scanned RAM every 15 minutes.
• I searched for data using regular expressions (for example, ^4[0-9]{12,15}$ — Visa).
• Filtered the data: removed duplicates, checked the Luhn algorithm.
• Saved PAN, expiration date, holder name.

The PAN was in memory in clear text for a split second, but that was enough.

5. Step 4: Data Extraction​

Transmission mechanism:​

• The collected data was packed and encrypted.
• Sent to external C&C servers via legitimate DNS requests (DNS tunneling) or HTTPS.
• The servers were located in Russia, China, Malaysia.

Leak volume:​

• 40 million records with card data (PAN, expiration date).
• 70 million PII records (name, email, phone, address).

The data was sold on the darknet for $20–$100 per card.

6. Why was the attack not detected?​

6.1 FireEye detection system worked, but was ignored​

• FireEye (next generation antivirus) detected suspicious activity.
• The system generated more than 100 alerts.
• But Target's security team ignored them because they weren't trained to interpret the warnings.

This is one of the most famous examples of "signals that went unheard".

6.2. Lack of SIEM and centralized monitoring​

• Logs were not aggregated.
• There were no correlation rules to detect anomalies (e.g. bulk data transfer).

6.3 No network segmentation​

• The attackers moved freely from the accounting department to the POS.

7. Technical and organizational errors Target​

ERROR	CONSEQUENCES
No network segmentation	Attackers reached the POS from the supplier's network
No MFA for suppliers	Stolen credentials = full access
Hybrid POS systems without P2PE	PAN is temporarily open in PC memory
Using outdated software	Windows XP on many terminals
Ignoring FireEye alerts	The window for response has been missed
No DLP and EDR	There was no protection against data leakage

8. Consequences and Lessons​

8.1 Financial and legal consequences​

• Damage: >$200 million
  • $41 million - direct costs.
  • $18.5 million - settlement with 47 states.
  • $10 million - compensation to clients.
  • Dismissal of CIO and CEO.
• Loss of confidence: sales down 4.6% in 2014 Q1.

8.2. Changes in the industry​

• Growing demand for P2PE and tokenization.
• Tightening of PCI DSS v3.0+requirements to:
  • Network segmentation.
  • Monitoring.
  • Pentests.
• Development of Zero Trust and micro-segmentation.

8.3 Key Lessons​

LESSON	RECOMMENDATION
Supply chain vulnerability	Limit vendor access, use MFA
Network segmentation critical	Dedicate VLAN to POS, deny external access
RAM scraping is a real threat	Use P2PE to ensure PAN is never in PC memory
Alerts need to be read	Train SOC, use SIEM with correlation rules
Update your software	Opt out of EOL systems (Windows XP)
Encrypt your data	P2PE + DUKPT + tokenization

9. How could the attack have been prevented?​

STAGE	PROTECTIVE MEASURE
Phishing on the supplier	Training, investment sandboxing, MFA
Access to the Target network	Vendor Isolation, Zero Trust Network Access (ZTNA)
Navigating the network	Segmentation, micro-segmentation, NAC
POS infection	EDR, antivirus, blocking unauthorized updates
RAM scraping	P2PE - Terminal-to-Password Encryption
Data extraction	DLP, Destination Country Blocking, DNS Filtering

10. Documents and sources​

• Official Target Report (2014) - https://investors.target.com
• FBI and DOJ Investigation - Indictment of Alexander Lapshin (FIN7 Member)
• PCI Security Standards Council - PCI DSS Updates After Attack
• MITRE ATT&CK Framework:
  • Tactic: Initial Access (Phishing)
  • Tactic: Lateral Movement
  • Technique: T1003 – OS Credential Dumping
  • Technique: T1071 – Application Layer Protocol (Web Protocols)

Conclusion​

The attack on Target was not hacker "magic", but a chain of organizational and technical errors:

• Weak access control.
• Lack of segmentation.
• Ignoring security signals.
• Outdated POS architecture.

The key takeaway: Security is not just about technology, it is also about processes, people and culture.

 

[Student]

Carding is a form of cybercrime in which criminals use stolen bank card information or compromised accounts to conduct unauthorized transactions, purchases, or withdrawals. For educational purposes, I will analyze a real-life case involving the use of compromised accounts for carding, describing the mechanisms, stages, tools, consequences, and prevention measures. I will use the 2013 attack on the major retail platform Target as an example, supplementing it with general patterns and examples from the carders' practice to illustrate how this works on a broader level.

Case Study: Attack on Target (2013)​

Context and scale​

In late 2013, the American retail chain Target suffered one of the largest data breaches in retail history. Attackers gained access to 40 million credit and debit card details, as well as personal information (including names, addresses, email addresses, and passwords) for approximately 70 million customers. While the focus was primarily on the theft of card data, compromised customer accounts on Target's website were also actively used for card fraud. This incident illustrates how hackers can exploit access to accounts for fraud.

Stages of attack​

1. Initial hack and credential compromise:
   • Entry Point: The attack began with the compromise of the credentials of a contractor working with Target (Fazio Mechanical Services). The hackers used a phishing email containing malware, which allowed them to access the contractor's credentials.
   • Network Intrusion: Using these credentials, hackers penetrated Target's internal network. They installed malware (the BlackPOS Trojan) on POS terminals in stores, which collected card data as they were used.
   • Harvesting customer credentials: In addition to card data, hackers gained access to the Target.com website database, which stored usernames, passwords (in encrypted form), and other personal information.
2. Credential Stuffing Technique:
   • The attackers used stolen logins and passwords to test them on Target.com and other websites (e.g., Amazon, eBay, PayPal). Credential stuffing involves automated testing of login-password combinations across multiple platforms, as many users use the same passwords across different services.
   • Tools like Sentry MBA or OpenBullet allow carders to check thousands of accounts per second. In Target's case, many clients used weak or duplicate passwords, making the task easier.
3. Using compromised accounts for carding:
   • Direct Purchases: After gaining access to Target.com accounts, carders used saved payment information (if linked to the profile) to purchase high-ticket items such as electronics, game consoles, televisions, and gift cards.
   • Adding New Cards: In cases where the account had no stored payment information, carders added stolen card details (purchased on the black market or obtained from other leaks) to complete transactions.
   • Changing delivery details: To cover their tracks, carders changed the delivery address to a fake one (called "drops"—the addresses of intermediaries who forwarded the goods onward). In some cases, temporary email addresses or phone numbers were used to confirm orders.
   • Cross-platform attacks: After successfully testing credentials on other platforms, carders made purchases on Amazon, eBay, or other sites using compromised accounts or adding stolen cards.
4. Monetization:
   • Resale of goods: Purchased goods (such as electronics) were resold through platforms such as eBay, Craigslist, or local markets. Often, goods were shipped to countries with less stringent controls to make tracking more difficult.
   • Gift card cashing: Target gift cards purchased with compromised accounts were sold on the black market (such as darknet forums like AlphaBay or Hansa) at a discount. Buyers of these cards used them for further transactions or cashing out.
   • Carding for cryptocurrency: In some cases, carders used compromised accounts to purchase cryptocurrency (for example, through exchanges where cards were linked), allowing them to quickly convert the stolen funds into anonymous assets.

Technical aspects of carding​

1. Carder tools:
   • Combolists: Carders use "combolists" — lists of stolen usernames and passwords that are purchased on the dark web or collected from public leaks (for example, through sites like Have I Been Pwned).
   • Proxies and VPNs: To bypass security systems (such as IP blocking), carders use proxy servers or VPNs to mask their location and simulate access from the victim's region.
   • Anti-fraud bypass: Modern carders use techniques to bypass anti-fraud systems, such as imitating user behavior (for example, using bots that scroll through pages before making a purchase) or browser fingerprinting.
   • CC Checkers: To verify the validity of stolen cards, carders use services that test cards on small transactions (for example, through donations to charity sites).
2. Darknet market:
   • Stolen accounts and card details were sold on darknet forums. For example, a complete set of card details (number, CVV, cardholder name) could cost between $5 and $50, depending on the card's limit and region. Compromised accounts with linked cards or high credit limits were valued higher.
   • Carders also exchanged "guides" (manuals) that described methods for bypassing specific platforms (for example, how to bypass two-factor authentication or transaction monitoring systems).

The aftermath of the attack on Target​

1. For the company:
   • Financial losses: Target estimated direct losses at $252 million, including customer compensation, investigation costs, and legal fees. Indirect losses (reputational damage, lost sales) were even higher.
   • Legal implications: The company faced numerous lawsuits from customers and banks whose cards were compromised.
   • Layoffs and reputational damage: Target CEO Gregg Steinhafel resigned. The company lost customer confidence, leading to a temporary decline in its stock.
2. For clients:
   • Affected customers faced unauthorized card charges, identity theft, and the need to replace their cards.
   • Many customers have fallen victim to secondary attacks as their accounts were used on other platforms due to password reuse.
3. For industry:
   • The incident became a catalyst for the introduction of new security standards in retail, such as EMV chips (more secure than magnetic stripes) and improved encryption protocols.
   • Companies have begun to more actively implement two-factor authentication (2FA) and systems for monitoring suspicious transactions.

Common carding schemes using compromised accounts​

Besides the Target case, carders often use the following approaches:

1. Phishing: Sending fake emails or creating fake websites to trick users into entering their personal information.
2. Skimming: Installing devices on ATMs or terminals to read card data.
3. Purchasing data on the darknet: Carders purchase ready-made databases (logins, passwords, card data) from forums such as RaidForums or its successors.
4. Automation Bots: Using bots to mass test credentials and perform transactions.
5. Social engineering: Deceiving users to gain access to their accounts (e.g. by calling while pretending to be tech support).

How to Protect Yourself: Recommendations for Users and Companies​

1. For users:
   • Unique passwords: Use different passwords for each service. Password managers (e.g., LastPass, 1Password) can help you store them.
   • Two-factor authentication (2FA): Enable 2FA wherever possible, preferably through authenticator apps (Google Authenticator, Authy) rather than SMS.
   • Transaction Monitoring: Regularly check your card statements and bank notifications.
   • Limit data saving: Do not save card data on websites unless necessary.
   • Antivirus and updates: Use antivirus software and update your devices regularly to protect yourself from malware.
2. For companies:
   • Data encryption: Store passwords and payment data in encrypted form (for example, using bcrypt algorithms).
   • Access Restriction: Apply the principle of least privilege to employees and contractors.
   • Anti-fraud systems: Use tools to monitor suspicious transactions (e.g. FraudLabs, Signifyd).
   • Regular Audits: Conduct network security audits and penetration testing.
   • Customer Education: Educate users about phishing and the importance of 2FA.

Conclusion​

The Target incident demonstrates how compromised accounts can become tools for large-scale carding. Attackers use a combination of technical methods (credential stuffing, malware) and social engineering to gain access to accounts and monetize them. This incident highlights the importance of cyber hygiene for users and the need for strict security measures for companies. If you have any questions about specific aspects (such as the technical details of credential stuffing or examples of other attacks), let me know, and I'll dive into them in more depth!