Target hackers shopping around for data decryption services?

The target breach and the massive amount of user information compromised in its wake is understandably worrying customers. But what are the odds of it being actually used by the cyber crooks behind the heist?

If intelligence aggregator InterCrawler is to be believed, the likelihood is good, even though the stolen credit card info (CVV codes and PIN data) is encrypted in TripleDES.

“There is an active group of Eastern European cybercriminals who specializes in attacks on merchants and Point-of-Sale terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment and PIN blocks data, which many systems have been sniffed and grabbed in the past,” they stated.

“Just recently, several criminals in underground are interested in decrypting of 3DES blocks and information intercepted from serial COM-port connected to POS (9600 7E1) and Man-in-the-Middle attack.”

The discussion about this problem is not new, and for years now hackers have managed to intercept packets carrying this type of data, but are unable to decrypt it (sometimes even if they have the key).

Their pleas for help are often answered by other hackers that apparently know how to decrypt them, but whether their claims are true or not it can’t be determined.

“Experienced cybercriminals have noticed many ‘encrypted networks’ allow for some plain txt capture. But to handle the more sensitive encrypted data, some of the more professional hackers have set up an ‘investment fund’ for creating 22 teraflops cluster for 3DES brute force, which could give them a much higher return on POS malware,” the company shared.

“The leader of this group was actively working on the development of special software for PIN-blocks decryption by its brute forcing having examples of dump, PIN and hash.

Requests for 3DES decryption of some 50 Gb of PIN data have been spotted right after the Target breach was publicly announced. InterCrawler impersonated a hacker claiming he can do it, and has analysed the received sample hex stream from the cyber crook. They have reason to believe that the compromised data in question is tied to customers in the US and Canada (Target has brick-and-mortar shops in both countries).

IntelCrawler CEO Andrew Komarov says that hackers have been known to decrypt PIN dumps in the past, even when they were encrypted with 3DES.

Errata Security’s Robert Graham claims the opposite, but allows the possibility of hackers getting the PINs without decrypting them because two identical PINs decrypt to the same value, and he explained how to go about it in a helpful blog post.

Still, he believes that Target has probably also salted the encrypted data, and that does make it impossible for cyber crooks to decrypt it.