“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps..."
...[Russian security firm] Group-IB [may have linked the attack] to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.
Rumors have been floating around the security community that the POS hardware had been compromised at the supplier before it had even reached Target.
Paul Ducklin at Sophos alluded to this type of attack a few days ago.
Back in 2009, for example, crooks in Australia ripped off McDonalds fast-food outlets that way.
They surreptitiously switched out Macca's official PoS devices for jury-rigged ones... A reverse swap-out some weeks later allowed the crooks to recover their Trojanised devices, and then to read off a month or more of payment card data and PIN codes from covert storage inside the hacked units.
But that sort of scam is hard to perpetrate on a national scale, especially at in-store sales points.
That's why I'm not sure I believe the "poisoned supply chain" proposition. It could happen, but it would seem easier to exploit the POS network from a central point. After all, you need a centralized collection area to gather the data from 40 million freaking credit cards.
That's where so-called RAM scraping malware comes into the picture.
RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register, albeit briefly.
This happens as the data is transferred from the PoS terminal to the PoS register.
Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network.
So a RAM scraping botnet can be used to look out for credit-card-like data popping up in memory on an infected computer.
The bot then grabs the data before payment processing has even taken place, and squirrels it out
No law-abiding citizen can condone such a crime, but one can simply marvel at the creativity required to pull it off.
Hat tip: BadBlue Tech News