BrianKrebs

This year's Black Friday marks the rough ten-year anniversary of the 2013 intrusion at Target.

Their compromise became public knowledge when I wrote about it on Dec. 18, 2013. But the reporting for that story started ~ Dec. 12, when I began hearing from fraud control people at several smaller banks I'd worked with in the past on Zeus trojan attacks. They were seeing unprecedented numbers of customer cards getting compromised and used for in-store fraud at big box retailers.

I agreed to give each of those contacts a short primer on how to buy back their own bank's cards from a new set of 6 million freshly hacked cards (100 percent valid) that was being advertised in the cybercrime forums. All I asked in return is that they share the results of any fraud analysis on those cards.

Within 5 days, all of those bank sources reported success in buying back enough cards to determine the pattern: All had been used w/in the same three-week period at a Target store somewhere in the United States.

The fraud shop that was selling cards that everyone at this point suspected were coming from Target helpfully included the zip code tied to each card record for sale. Initially, we lost valuable time laboring under the assumption that the zip code was tied to the cardholder's address, but it soon became clear that was not the case, because there were only about 2,000 unique zip codes in the hundreds of pages of card data we scraped, and there are > 40k zip codes in the whole US. Still, the zip codes in the card data were spread out to almost every state.

Then we had an "AHA!" moment: The Target store locator page listed every single zip code of every store. After scraping those, we found there was about a 99.1 percent overlap in the Target store ZIP codes and the zip codes in the millions of fresh new cards put up for sale.

At that point, I felt really good about confronting Target, because every single source and data point led to the conclusion that they were totally owned.

https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

Sources: Target Investigating Data Breach – Krebs on Security

Nov 26, 2023 at 5:49pmWeb
Show threadMichael SladeNov 26, 2023
@briankrebs Thank you for your great work in this area.
Show thread🇨🇦Nov 26, 2023

@michaelslade @briankrebs Agreed, big thank you from me.

And there is no irony in the bad guys selecting a business that literally has a target painted on its back.

Show threadShadowNov 28, 2023
@briankrebs Awesome. And shortly after 2013 my own entry into this field where that case was touched on a few times; it was a classic case of alert burnout as the company had necessary tooling but the security alerts were under a pile of many alerts.
Show threadLouis BouchardNov 29, 2023
@briankrebs amazing investigative work you did there Brian. That's when I started following you. Wow, 10 years! Congrats, you're the best!