On January 12th, we learned that Neiman Marcus became the next in a list of retailers that had their clients’ credit card information stolen.
In the attack on Target, which occurred shortly before the Neiman Marcus attack, it appears that the key attack method used was to parse track data from one or more computers’ RAM.
What exactly does that mean? To “parse data” simply means to break up information into pieces that can be more easily used and manipulated. What makes these attacks different from most is that instead of targeting information on a computer’s hard drive, it is processing the data in a computer’s memory (RAM). “Track Data” refers to the data from the magnetic stripe on a credit card. This technique has been used by IT forensics experts for years, but it has not been able to be turned into malicious software, or malware, until very recently.
This type of attack is so new that even if a company follows Visa’s own best practices documentation (known as the Visa PABP, or Payment Application Best Practices), this attack would still succeed.
Many credit card processing companies, however, have been attempting to educate their clients to not store track data on their computers’ hard drives, but again, this type of attack bypasses those efforts because the data does not need to be written to disk to be vulnerable—the data is taken right from the computer’s memory, often while it is processing the transaction.
For IT security professionals who want to take steps that will actually prevent this type of attack that has been hitting national retailers, there are steps you can take. If you are using the Bit9 Security Platform and are in high-enforcement mode on your credit card processing systems, then it will be much easier for you to stop these attacks (if you need assistance, please contact your Bit9 support representative).
If you are not using Bit9, I would encourage you to contact your IT security software vendor to see if they can block unapproved executables. If they are not able to do so, and you want to make sure that the exact same attack does not hit your company, use a product that can block files by name and their MD5 hashes (this is a critical point, because many legitimate versions of these filenames are core parts of the Windows operating systems, so the MD5 hash is a way to make sure that the currently known versions of the malware are stopped, and not the real versions of the Windows operating system files). Then configure the software and ensure that the following files and hashes are not allowed to execute in your environment:
- compenum.exe – bcc61bdf1a2f4ce0f17407a72ba65413
- csrsvc.exe – 1f9d0d200321ad6577554cc1d0bb6b69
- dnsmgr.exe – bf27e87187c045e402731cdaa8a62861
- dirmon.chm – ac15d275d4d01c453aab907da7051f81
- dump.bat – 9393aaf96f3fc25bfcc6649e33edc560
- far.exe – d1d9c26a77beb82b13c82e854042dc92
- install.bat – a7c24031cae3f29ec0c30d220c52a087
- mempdumper.exe – dbaab511f2210228e41c3ffdbe5d3fce
- play.bat – fcb37de3b9b1c831a52a836b7a2f2695
- psexec.exe – 579b43e13294eb85faa7c28b470b19c1
- shareenum.exe – 3ca6ec07c6b840e7a256d09839ba0c4f
- winmgmt.exe – 3e19ef9c9a217d242787a896cc4a5b03
And, as always, if you would like more information, please feel free to contact me directly at firstname.lastname@example.org.