Hackers created webserver on Target network to collect cards.Hackers installed off-the-shelf malware to siphon more than 110 millions of credit and debit cards and personal records from Target as early as November last year.
The unknown crackers reportedly used malware similar to the Russian made BlackPOS which was designed to scrape credit and debit cards from point of sale devices while they were unencrypted.
That data was shipped from POS terminals to a webserver established by attackers within Target's corporate network which was periodically emptied, according to reports.
Sources involved in the investigation told Krebs on Security the malware was submitted to malware-checking site ThreatExpert which revealed the application was not detected by more than 40 anti-virus platforms. [pdf]
Symantec published an analysis on BlackPOS which sources told Krebs was a similar variant to the malware used in the attack.
The RAM-scraping malware allowed attackers to create cloned credit cards which could be sold on underground carding sites and used to purchase merchandise.
Russian security outfit Group-IB published analysis of the BlackPOS malware and sought to identify the creators behind it.
"BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated internet scans and are infected because they have unpatched vulnerabilities in the OS (operating system) or use weak remote administration credentials," Komarov said.
"In some rare cases, the malware is also deployed with help from insiders."
Group-IB claimed the malware was used to compromise a string of US banks including Chase, Citibank and Capital One.
The disclosures come admit continued silence by Target around how the attack took place. The retailer has not responded to requests by multiple publications including SC Magazine for information on the attack.
Target will testify before US Congress early next month in a hearing geared to discover how the attack affected consumers. It was unlikely to reveal specific information about how the breach took place as it was under active investigation by the US Secret Service.