Professor
Professional
- Messages
- 686
- Reaction score
- 732
- Points
- 93
Below is a detailed educational analysis of a real case of a cyber attack on the Target supermarket chain (2013). This incident is considered one of the largest and most significant in the history of cybersecurity and carding, especially in the context of vulnerabilities in POS systems, supply chain, and security monitoring deficiencies.
The attack lasted for more than 3 weeks, and despite the presence of detection systems, it was not stopped in time.
POS terminals (in hybrid architecture) temporarily stored PAN in RAM:
BlackPOS:
The attack on Target was not hacker "magic", but a chain of organizational and technical errors:
Case Study: Target Attack (2013)
Educational Analysis of a Cyber Attack on POS Systems
Date: November – December 2013
Victim: Target Corporation – the third largest retailer in the US
Scale: 40 million compromised bank cards, 70 million PII records
Damage: > $200 million (fines, investigations, compensation, loss of trust)
Attack type: Complex APT attack using POS malware (BlackPOS)
1. General attack scheme
Code:
[1] Vendor Compromise → [2] Target Network Access → [3] POS Search and Infection → [4] Data Collection → [5] C&C Extraction
2. Stage 1: Initial attack vector - supply chain
Purpose: Fazio Mechanical Services
- It's a small contractor that provides climate control for Target stores.
- Had remote access to Target systems for invoicing.
How the compromise occurred:
- The attackers ( FIN7/Carbanak group, according to the FBI) sent a phishing email to a Fazio employee.
- The email contained a malicious attachment (an Excel file with a macro).
- The macro downloaded the Backdoor.Orcus trojan.
- Through the infected PC, the attackers gained access to credentials, including login and password for accessing the Target portal.
Target Error: The vendor had direct access to the corporate network without multi-factor authentication (MFA) and segmentation.
3. Stage 2: Penetrate the Target Network
What the attackers did:
- Used stolen credentials to log into Target's VPN gateway.
- Gained access to the internal network, including the VLAN where the POS systems were located.
- Conducted reconnaissance:
- Network scanning (Nmap-like actions).
- Search for servers with POS management software.
- Determining IP addresses of cash register terminals.
Critical error: POS systems were not isolated in a separate VLAN. They were on the same network as accounting and IT systems.
4. Stage 3: Infecting POS terminals
Malware used: BlackPOS (aka Kaptoxa)
Developed by FIN7 group. Features:- Written in C++.
- Works in memory (fileless malware).
- Specializes in RAM scraping - searching for PAN in RAM.
How BlackPOS worked:
- The attackers uploaded malware to the central POS control server.
- Through a legitimate software update mechanism, BlackPOS was sent to 1800+ terminals.
- Malware was activated when a transaction was started.
RAM Scraping: How Data Was Stolen
POS terminals (in hybrid architecture) temporarily stored PAN in RAM:
Code:
[Card] → [Read] → [PAN in RAM] → [Encryption] → [Send]- Scanned RAM every 15 minutes.
- I searched for data using regular expressions (for example, ^4[0-9]{12,15}$ — Visa).
- Filtered the data: removed duplicates, checked the Luhn algorithm.
- Saved PAN, expiration date, holder name.
The PAN was in memory in clear text for a split second, but that was enough.
5. Step 4: Data Extraction
Transmission mechanism:
- The collected data was packed and encrypted.
- Sent to external C&C servers via legitimate DNS requests (DNS tunneling) or HTTPS.
- The servers were located in Russia, China, Malaysia.
Leak volume:
- 40 million records with card data (PAN, expiration date).
- 70 million PII records (name, email, phone, address).
The data was sold on the darknet for $20–$100 per card.
6. Why was the attack not detected?
6.1 FireEye detection system worked, but was ignored
- FireEye (next generation antivirus) detected suspicious activity.
- The system generated more than 100 alerts.
- But Target's security team ignored them because they weren't trained to interpret the warnings.
This is one of the most famous examples of "signals that went unheard".
6.2. Lack of SIEM and centralized monitoring
- Logs were not aggregated.
- There were no correlation rules to detect anomalies (e.g. bulk data transfer).
6.3 No network segmentation
- The attackers moved freely from the accounting department to the POS.
7. Technical and organizational errors Target
| ERROR | CONSEQUENCES |
|---|---|
 No network segmentation | Attackers reached the POS from the supplier's network |
| No MFA for suppliers | Stolen credentials = full access |
| Hybrid POS systems without P2PE | PAN is temporarily open in PC memory |
| Using outdated software | Windows XP on many terminals |
| Ignoring FireEye alerts | The window for response has been missed |
| No DLP and EDR | There was no protection against data leakage |
8. Consequences and Lessons
8.1 Financial and legal consequences
- Damage: >$200 million
- $41 million - direct costs.
- $18.5 million - settlement with 47 states.
- $10 million - compensation to clients.
- Dismissal of CIO and CEO.
- Loss of confidence: sales down 4.6% in 2014 Q1.
8.2. Changes in the industry
- Growing demand for P2PE and tokenization.
- Tightening of PCI DSS v3.0+requirements to:
- Network segmentation.
- Monitoring.
- Pentests.
- Development of Zero Trust and micro-segmentation.
8.3 Key Lessons
| LESSON | RECOMMENDATION |
|---|---|
| Supply chain vulnerability | Limit vendor access, use MFA |
| Network segmentation critical | Dedicate VLAN to POS, deny external access |
| RAM scraping is a real threat | Use P2PE to ensure PAN is never in PC memory |
| Alerts need to be read | Train SOC, use SIEM with correlation rules |
| Update your software | Opt out of EOL systems (Windows XP) |
| Encrypt your data | P2PE + DUKPT + tokenization |
9. How could the attack have been prevented?
| STAGE | PROTECTIVE MEASURE |
|---|---|
| Phishing on the supplier | Training, investment sandboxing, MFA |
| Access to the Target network | Vendor Isolation, Zero Trust Network Access (ZTNA) |
| Navigating the network | Segmentation, micro-segmentation, NAC |
| POS infection | EDR, antivirus, blocking unauthorized updates |
| RAM scraping | P2PE - Terminal-to-Password Encryption |
| Data extraction | DLP, Destination Country Blocking, DNS Filtering |
10. Documents and sources
- Official Target Report (2014) - https://investors.target.com
- FBI and DOJ Investigation - Indictment of Alexander Lapshin (FIN7 Member)
- PCI Security Standards Council - PCI DSS Updates After Attack
- MITRE ATT&CK Framework:
- Tactic: Initial Access (Phishing)
- Tactic: Lateral Movement
- Technique: T1003 – OS Credential Dumping
- Technique: T1071 – Application Layer Protocol (Web Protocols)
Conclusion
The attack on Target was not hacker "magic", but a chain of organizational and technical errors:- Weak access control.
- Lack of segmentation.
- Ignoring security signals.
- Outdated POS architecture.
