Endpoint

1/2/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Forever 21 Found Malware and Encryption Disabled on its PoS Devices

The retailer found signs of unauthorized access and malware installed on point-of-sale devices during an investigation into last year's data breach.

Forever 21's investigation into a data breach first reported in November 2017 has revealed malware planted on the retailer's point-of-sale systems (PoS) as well as encryption disabled on some of the devices.

The retailer, which had been using encryption on its payment system since 2015, received a report in mid-October indicating unauthorized access to payment card data at certain stores.

Following an investigation with payment technology and security firms, Forever 21 said in an update posted late last week that encryption technology on some point-of-sale (PoS) devices was not always on, and that it had found signs of unauthorized network access and malware installed on PoS devices to search for payment card data.

The malware searched for track data from payment cards as they were processed through the PoS system. In most cases this data was limited to card number, expiration date, and internal verification code. Occasionally, the cardholder name was also found.

Encryption had been disabled and malware installed on some devices at varying times in US stores from April 3, 2017 through November 18, 2017. Some locations only experienced a breach for a few days or weeks; others were hit for most or all of the timeframe. In most cases, only one or a few of PoS devices were affected at each outlet.

Forever 21 stores also each have a device to keep track of completed payment card transaction authorizations. Payment card data was stored in these devices while encryption was off. Investigators found malware installed on log devices in certain stores. At these locations, if encryption was disabled on a PoS device prior to April 3, 2017 and data was still recorded on the log file, the malware could have discovered the unencrypted data.

The company reports it's working with payment processors, its PoS device provider, and third-party experts to address encryption on PoS devices at all of its retail outlets. It's also investigating whether this incident affected stores outside the US, which use different payment systems. Payment cards used on Forever21.com were not affected.

Retail is a hot target for cybercriminals who know they can make decent money swiping credit card numbers and selling them on the Dark Web. Bigger targets with millions of customers are the hardest hit, says Mark Cline, vice president at Netsurion. Indeed, Whole Foods and Nissan Canada are two more examples of massive retailers with large customer bases and recently reported security breaches.

"If retail businesses haven't hardened their IT and POS security, they should start now to protect themselves from PoS malware, ransomware, and other threats," he says. They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection."

Forever 21 urges customers to review card statements for unauthorized activity and report unauthorized activity to their card issuer.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 12:28:02 PM
Re: PoS exploited
Not similiar.  Target POS systems were secure and the servers were secure BUT for a few seconds, data in transit from POS to SERVER ws not encrypted at all.  The theft involved just sitting in their cars and collecting the unsecure data transit.  
shyguygav
50%
50%
shyguygav,
User Rank: Apprentice
1/3/2018 | 10:22:02 AM
PoS exploited
Eerily similar to the target breach of 2013
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.