November 17, 2014

The breach at office supply chain Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores, according to sources close to the investigation.

staplesMultiple banks interviewed by this author say they’ve received alerts from Visa and MasterCard about cards impacted in the breach at Staples, and that to date those alerts suggest that a subset of Staples stores were compromised between July and September 2014.

Sources briefed on the ongoing investigation say it involved card-stealing malicious software that the intruders installed on cash registers at approximately 100 Staples locations. Framingham, Mass.-based Staples has more than 1,800 stores nationwide.

In response to questions about these details, Staples spokesman Mark Cautela would say only that the company believes it has found and removed the malware responsible for the attack. 

“We are continuing to investigate a data security incident involving an intrusion into some of our retail point of sale and computer systems,” Cautela said in a statement emailed to KrebsOnSecurity. “We believe we have eradicated the malware used in the intrusion and have taken steps to further enhance the security of our network.  The Company is working with law enforcement and is investigating whether any retail transaction data may have been compromised. It is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

A source close to the investigation said the malware found in Staples stores was communicating with some of the same control networks that attackers used in the intrusion at Michaels, another retail breach that was first disclosed on this blog. Michaels would later acknowledge that the incident was actually two separate, eight-month long breaches that resulted in the theft of more than three million customer credit and debit cards.

The same source compared the breach at Staples to the intrusion recently disclosed at the nationwide grocer chain Albertsons, noting that both breaches resulted in the theft of far fewer customer credit and debit cards that thieves might have stolen in these attacks. It remains unclear what factors may have limited the number of cards stolen in these breaches, particularly compared to tens of millions of cards stolen in breaches at similar nationwide retail chains like Target and Home Depot.

I fully expect that we’ll hear about another major retail chain getting hacked as we approach another Black Friday. Any retailers that are still handling unencrypted credit card data on their networks remain an attractive and lucrative target for attackers.


60 thoughts on “Link Found in Staples, Michaels Breaches

  1. Dan

    So what exactly is the commonality? PoS vendor? Remote access? Windows vuln? Find that and look at the related companies for correlation and other possible breaches.

    1. BrianKrebs Post author

      The link is that the malware in both breaches was found to be communicating with the same command and control (C2) networks.

      1. Eric

        Is it possible that these CnC networks are just ‘botnets for hire’ used by two different organizations? If one groups finds that the net is optimal for their purpose (location, discretion, etc), other groups might land on it for the same reasons.

        1. MC

          Anything is possible, but the idea of a commoditized C2 service doesn’t make much sense in this day and age of fast and cheap cloud instances that can be spun up and destroyed in almost no time. This just sounds like bad opsec on the part of the criminal organization. In the words of Avon Barksdale, “you’ve only gotta fuck up once.”

  2. NoMoreCyberheists?

    all these news are about data breaches, are small business safe now from cyberheists?

    1. CyberFlashNews

      Small biz is a prime target due to lack of proper security. If you have PCI or PII, you are a target. Think about how many ppl shop and have services at local shops and use a payment card.

      1. cc

        I find small business are especially vulnerable to ACH/Wire fraud. Especially small organizations that have lots of funds moving through their systems (title companies, distributors, etc) rather than being the target of POS credential stealing malware

        1. BrianKrebs Post author

          Yep, CC captured my thoughts exactly. I would not call the major breaches at retailers cyberheists. That category I would reserve for small to mid-sized business that have their bank accounts (usually payroll) emptied because they got a virus infection (usually something like the Zeus Trojan). These companies are and remain a major target, principally because they often have very few fraud controls in place.

          1. Josh Golden Eagle

            Do you have a past article on some of the ways that small businesses are not protecting themselves, or additional steps small businessess should be taking to protect themselves?

            1. CW

              Brian has written a bunch of articles about this. Usually, the person in charge of processing the payroll is targeted with a virus-laden email. The payroll person clicks on it, and their machine is infected. Often times, they only have a single authentication to the bank (username/password.) The banks often offer multi-factor authentication, but small businesses don’t bother to take the bank up on additional security. So once their machines are infected, they’re in trouble. (Even multi-factor authentication is beatable, but it would deter some miscreants.)

              Another solution would be for the payroll processor to use a Linux/Suse LIVE CD to boot their machine, before doing payroll. But again, most folks don’t seem to care/bother with the extra security measure…until after it’s too late.

      2. mechBgon

        If you meant “is it risky for me as a customer,” I think it is. Significant risk factors, little or no security staff/budget/training. Go into a small business such as a flower shop or a local pizzeria and ask them about their PCI compliance. “Our… what? And would you like breadsticks with that?”

        I work at a very small business myself. Our POS vendor scares me. They only recently figured out “hey, maybe it’s NOT a good idea for the store’s in-house database (which is uploaded to them every night) to contain peoples’ CC numbers.” I could go on. Suffice it to say, I carry more cash these days.

        1. TJ

          I felt the same as you after the Target breach. But then Brian started reporting breach after breach, and I decided I just couldn’t carry, or I didn’t want to carry, all the cash I would need for all of my daily transactions.

          I also noticed that my credit card issuer, Bank of America, does an exceptional job monitoring for credit card fraud. For instance, my card was initially rejected at my dentist’s office recently because my wife and I had just minutes earlier filled up both of our cars at the same gas station at the same time.

          Now I’ve setup my account to receive every possible text message alert, and I also check the account daily. Even though my card was exposed in at least four of the major breaches, I’ve yet to experience any fraudulent charges over the past year (fingers crossed), and Bank of America only replaced my card after the Target breach.

        2. Jon Marcus

          Trying not to be snarky in reply, but why is cash viewed as safer than credit cards? It’s certainly easier to have stolen and as easy to lose as a CC, and once it’s gone there’s no hope hope of recovery. Legally personal CC losses are limited to $50, and in practice most banks cover 100% of customer loss.

          Of course that coverage may be passed on to all customer in the form of higher prices. But you pay that price whether or not you carry cash. So why take the risk?

          1. timeless

            It’s a good question.

            The thoughtful answer is that cash is in fact not safer.

            But, when people panic, they turn to tangible things and if they haven’t actively used those things in a long time, then they’ve probably forgotten their failings.

            I don’t have statistics, but I think that the quantity of muggings (for cash) has declined as criminals have shifted to robbing people at ATMs, and all sorts of credit card crimes. Also, since people aren’t carrying much cash, their reported losses due to pickpockets (at home and while traveling abroad) are almost certainly down.

            Sure, if we switched back to cash, these numbers would almost certainly recover to some extent — criminals go where the money is — but most people aren’t game theorists, they don’t consider that mass actions have consequences, or that history repeats itself, they only keep in mind “recent memory”, and there, they haven’t “had problems with cash”, so “it must be safe”.

          2. mechBgon

            Losing my wallet, with my CC and driver’s license (and a bit of cash) is a fixed risk. Having my CC number get loose, along with info such as my patient info at the doctor’s or dentist’s office, is not. Cash doesn’t have my name or signature on it, and I don’t have to carry more of it than I need on hand for my purposes, which generally involves buying groceries, not major expenses like furniture suites or rental payments.

            So yeah, a $50 loss limit is a good thing, but I’m generally carrying less cash than that anyway. When Fred Meyer announces THEIR big earth-shattering breach, I’m not planning to be among the victims.

  3. MK

    “I fully expect that we’ll hear about another major retail chain getting hacked as we approach another Black Friday. Any retailers that are still handling unencrypted credit card data on their networks remain an attractive and lucrative target for attackers.”

    Is this just you assuming the worst based on recent history or do you have a suspicion about a certain merchant, that may not be fully confirmed yet?

  4. Deidre M. Simpson

    Staples and Albertsons have less desirable products in comparison to the other stores. The Michael’s breach occurred for a long time–twice. I’m sure investigators have taken those things into consideration. Anyway, something about this whole thing smells resoundingly female.

    1. Jeff M

      How can credit card theft sound female? The products the stores sell is not terribly relevant. These guys go after card numbers to resell. So if anything the store with the higher volume would be a larger target because it could indicate more card numbers/higher frequency of swipes, not the more desirable products.

  5. Frank

    Brian,

    Any idea on what those C2 network IPs were (are)?

    Thanks
    Frank

    1. Charles B

      +1
      I would be interested in knowing if the C2 channel was a Tor hidden service.

      1. Infosec Pro

        probably not tor. lots of IDS/IPS rules flag tor. more likely if tor is used it’s hidden behind an AWS cloud based hop point. hard to block random AWS IPs, and easy for the perps to get new ones as needed. intel can unravel some of that, but it’s tedious and requires painstaking detail. oh by the way, that metadata everybody wants to prevent the government collecting is exactly what is needed to backtrail these connections. See a connection?

    2. Infosec Pro

      Frank, if you have a legitimate need to know in order to protect business critical cyber assets check out Infragard, membership might help you get access to indicator data. Background checks are required, and it’s a partnership with the FBI, so don’t try to sign up under false pretenses.

  6. Marjorie

    I don’t claim to understand a lot of the technology aspects, yet my question is quite simple: If I use my Staples-issued credit card for in-store purchases, is my personal data at risk, or does this breach only impact customers that use their VISA and MasterCards in-store?

    1. BradR

      If Target is your concern, then target will be replacing your target issued card as well unless they have anti-fraud measures built into their system. The thieves got into the target system and pillaged it for all the card data they could get – MC, Visa, and probably target cards – not sure if the target cards have any value or not.

      Brad

  7. FairfaxKid

    Brian, Just curious – are Visa and Mastercard the only credit card accounts affected? What about Discover and American Express?

  8. danieles

    its all about credentials. all stores are hacked through very stupid passwords set by admins.

    1. Infosec Pro

      You obviously don’t know what you’re talking about. It’s a dangerous conceit to blame the victim, although it makes you feel good it leaves you complacent about your own vulnerabilities and blinds you to the need for improvement.

      Many compromises start with a spear phishing email carrying or linking to a malicious payload. Don’t fall into the trap of blaming the victim for being phished, some attacks I’ve seen were very well crafted and difficult to diagnose even in my malware lab.

      Other compromises involve watering hole attacks, compromised web sites that deliver malicious exploits, often completely invisible to the victim. Sometimes the exploits are zero-days, so no patch is even possible. Other times there are patches, so blaming the victim seems easy until you try to keep everything on your own system fully patched and discover it’s really hard. Don’t throw stones if your house is glass.

      Those compromises get a user workstation, then the attacker will use lateral exploitation to establish persistent access to the target network, installing multiple backdoors and covert command and control (C2) channels.

      Ultimately they will locate and compromise critical servers, and/or users. At this point they can do whatever they want, installing keyloggers and other malware packages on any workstation or distributing them to point of sale systems, lots of mischief.

      Notice that absolutely no element involved “very stupid passwords set by admins”, so get over your ignorant preconception and face ugly reality.

      The reality is, everyone involved is human. People are not perfect. They make mistakes. Those mistakes can be flaws in complex systems, falling for social engineering, trusting things they don’t understand and thinking they know more than they do.

      Now, re-read that last paragraph and go contemplate John 8:7.

      1. NotME

        If you want to blame them then blame the guys who should be watching for ex-filtration. Even encrypted payloads should send alerts up if patterns are detected. For HD anyway they had an alert and they did not respond to it.

        Getting in is one thing, getting the data our is quite another.

        1. Sean Reynolds

          Winner, winner. I would say all companies do (but there’s still a few slackers) that have cyber security monitoring in place to combat these sorts of things. Not all monitoring is alike though. Given that this was Staples and Michaels I trust that there was some quality safe-guards put into place. A lot of time it is employee error but with a company this large I doubt a low level employee could’ve triggered this by mistake.

      2. CooloutAC

        I appreciate your reply, more people need to stop blaming the users.

        Because not only does that blind ones self to their own vulnerabilities.. It also makes attackers complacent as well, whether gov’t or not, with a delusional feeling that someone deserved it so its ok . And then what happens is this divide keeps getting wider, between a hacking communities (gov’t or not) and the rest of society.

        And in this day and age, its disingenuous to think everyone who torrents is a criminal, or that viruses only come from porn sites, or if your using security tools your up to no good. Not too long ago I think BK, or someone else, had an article about NBC.com giving people viruses by just going to their URL, so it can really happen to all of us, no matter who you are.

        We are all susceptible to email phishing, or bad urls, no diff then the most advanced penetrations, imo. And the reaosn it keeps getting worse because of that very fact that most people, in the industry itsef, think it only happens to those who deserve it, which is of course not true at all.

      3. danielles

        are you talking from experience ? you wouldn’t believe if you knew what password stores like target and home depot had for their pos systems. Also, about criminals. No one really wants to catch nobody. there are a lot of armenians who do credit card fraud and many people know them yet police does nothing to stop them so who is to blame ? The incompetence of network administrators who put extraodinary easy passwords or the incompetence of local police ?

      4. John Doe

        Lateral Exploitation will involve some kind of credential misuse. In the vast majority of cases that will be a Pass the Hash attack. At its most basic form, PTH takes advantage of the common practice of machines having the same admin password throughout an organisation – not best practice, and not that far from what the original poster was getting at.

        Even if a company does have individual passwords for local admin accounts, it is almost embarassing how many companies still allow Windows admins to access machines using their domain credentials, thereby allowing any attacker to use the hash of that credential to move around the organisation.

        All of the ingress methods you mention are viable, but at the core, someone is misusing a password….

  9. Jim U

    Will there be anything forthcoming on the USPS breach? It seems strange that you’ve been silent on that. Has the postal service been unresponsive? Or is not that big a deal

    1. BrianKrebs Post author

      I don’t generally spend a lot of time writing about breach stories that I didn’t break. Particularly breaches that appear to impact mainly employees of the breached organization, which seems to be the case with the USPS breach.

  10. dcole

    Brian, has anyone suggested that maybe, just maybe, the banks do not want to shut down these fraudlent charges?
    Most people may not discover these unauthoritzed charges and the banks can still get their millions if not billions from them.
    Why shut down that huge profit if you can get by with paying a small perchentage of that in chargebacks?

    1. timeless

      That seems unlikely.

      The cost to reissue chip less credit cards is about $0.50/each. Assume that a person staffing a customer support line earns $6.00/hour (the minimum wage is higher than this), that’s $0.06 / minute. If each customer spends even 9 minutes complaining to anyone, the bank loses money.

      The people involved with helping investigate are almost certainly earning much more than minimum wage. It makes a lot more sense to identify and reset the whole batch of cards than to do things one at a time.

    2. Mark K

      Working at a small bank, we want the fraud to stop! More concerned about the fraud than the fees.

      1. BradR

        Amen to that brother. Constant stream of fraud with declining revenue to boot. Have you seen your Walmart interchange drop to 10 cents for all transactions – online, web, pin, or POS. They worked themselves a nice deal with Mastercard behind the scenes- bastards

    3. Christoph

      The measly interchange an issuin bank gets on the genuine or fraudulent transactions is wiped out many times over by the fraud and chargeback processing staff and operational cost of just one dispute.

      Not to mention reputation loss with your cardholder and the risk of lower confidence and spending for the future.

      No issuing bak has a business case knowingly letting fraud through.

    4. Jeremy Parker

      No way. I also work for an institution, and the cost of the fraud far outweighs any profit we could hope to gain from it. The issuer bears the bulk of the liability for the fraud, not the merchant, regardless of where the breach is. Until that changes, merchants have little incentive to change their practices and protect consumer information. And believe me, most people DO discover the charges eventually. Also, working for a credit union, we don’t seek to make profit from others’ misfortune – we exist to help our members, and that includes fraud protection. I suspect that most institutions have a similar attitude

    5. TC

      The ABA conducted a survey on banks’ cost for the Target breach. It found that the average cost to replace a debit card was $9.72 for all banks in the survey. For banks with less than $1B in assets of which my employer is one of them, the cost per card was $11.02. You can’t make an effective argument that the banks don’t want to shut this activity down when their cost is that high on a per card basis. We have had to replace some customers’ cards multiple time due to the various breaches this year.

    6. Clay Yearsley

      It’s the MERCHANTS you need to ask this question of. The financial institutions are the ones who end up footing the bill. The merchants have little motivation to stop fraud in the current environment.

  11. Benthall_SR2

    Notice that the investigations never real end going anywhere because most of the criminals behind these
    breaches are in Eastern Europe

  12. Jim C.

    Are the crooks that far ahead of the retailers that we will all have to be concerned with some sort of breach eventually which steals our personal/financial information? It appears that almost no site is safe these days.

    1. The Tech Bear

      Jim, now you’re getting it. All systems are insecure, unless hardened by a knowledgeable IT person. Even then a hardware or software vulnerability can bypass the hardened security.

      My philosophy is that I give anyone seeking information about me the smallest amount possible. My doctor’s office “required” a social security number (HELLO? It’s 2014!) before they would see me (again). I told them to pound sand and let them make one up.

      Make up a false identity and use it whenever you need to fill out information about yourself. Just make sure it’s the same information every time – don’t change it for each entity seeking the information. What is the statistic now? 1 in 3 have already been the victim of identity theft… Eventually, your information will be stolen, but will that information be valid if you’ve made most of it up?

      1. NotMe

        Wow, I thought i was the only one who gave people the wrong numbers! It’s such an easy thing to do, the only thing they need your SSN for is to make a debt collection against you.

        If we revoke the right of the credit bureau to use our government issued numbers we could get some traction in ID theft protection.

        No one should ever need to use SSN for anything other than Government benefits, EVER.

    2. Sterling Augustine

      If you use any form of credit (credit card, debit card, etc) then you and your personal data is at risk.

      I locked up my credit cards in my safe and my family use cash or personal check only now.

      1. Infosec Geek

        if you see a physician or use the health care system at all your personal healthcare records are at risk, and there’s nothing you can do about that.

        1. Jay

          Just tell the doctor office or hospital or lab company “No!” when they ask for SSN. They will quit asking. They don’t need it. A real problem is the V.A., which insists on using SSN. It probably will take an act of Congress to put a stop to that.

      2. IA Eng

        watch the use of checks – they are just as bad as Credit cards if crooks get a hold of one, whether its an insider, or they steal one. They can clear out an account pretty quickly if they have a routing and account number.

        I have seen instances where bogus owner data was on the check(s), and the checks had a compromised account and routing number on it.

        So, I create a bogus set of checks to match my fake ID, with your routing number and account info and go shopping.

        Cash is King.

        1. wombat94

          While it is generally true that checking account info can be used to drain a checking account, there are different levels of risk depending on the security features implemented by your bank.

          The typical way for a fraudster to use a checking account number is to create a fraudulent check based on the original check and then deposit or cash that check in the normal means. In order to ACH to be taken advantage of, the fraudster would have to provide a legitimate checking account somewhere to RECEIVE the stolen funds.

          Because of the reliance on paper checks to defraud a checking account in this way, some banks have started issuing serialized checks with random pre-approved check numbers.

          One of our banks has implemented this scheme. They will only issue checks directly (no printing from current or deluxe – the bank’s pricing is competitive) and each check book has 50 serialized checks, but the physical check number printed on the MICR line has that serialized check number AND a random (6-digit I think) number.

          Before any of these checks are able to be written and used, the check book has to be activated through the bank’s website. Any check that is tendered that is NOT one of the activated checks and does NOT include the random number encoded in the MICR line is rejected by the bank.

          It is a very secure system – essentially each check book is a real-world one time pad. All other paper checks are rejected.

  13. Jim

    Some of you, miss the other part of the story. For the POS to work, someone has to use the card somewhere else. Kind of like the Bitcoin article in todays news. KCStar. The breach is bad, and it can be tracked to the first server now. How is this server comprimised? There has to be a program set to compair the traffic and to route it to the next server. And its got to look legit. Especially to the virus databases and the update mechanisms, so it will not be overwritten. Or Else someone has to have a back door into the server. I wonder who that would be?

  14. Edward

    What likely limited the scope of these breaches is the organizations PoS software update architecture. We know from the MS use case of the Target Stores architecture (available on the Internet) that it was centralized. Once the databases and data files for the XP based PoS system at Target was breached and malware installed for distribution it was only a matter of time for it to be universally distributed. A distributed software architecture would be far less efficient but could limit the risk of complete malware infection. Sort of akin the notion of autonomous systems used in the Internet to limit the scope of a routing issue.

  15. Yves Lepage

    Why is it that cash registers have enough connectivity to communicate with a CNC?

    Is there something wrong with the architecture of these POS locations?

    1. anonymous

      Because most places outsource maintenance so they have to be connected.

  16. Joe Byrd

    do you have a list of stores that have been breached at Staples?

    1. E.G.

      Yes, I’d like to know if I have get my card replaced yet again. Does anyone know?

  17. Sean Reynolds

    What does this say about shopping this holiday season? Especially since most people are not comfortable carrying massive quantities of cash around, credit and debit will be the majority forms of payment. Apple Pay and touch-mobile POS systems will probably get real test this Black Friday. Hope the cyber Grinch doesn’t steal Christmas

Comments are closed.