1460206246_c029aeb764_mIf you’re like us you have a hard time remembering the point of sale (PoS) breaches that have occurred over the years. In an effort to simplify past public breaches, we have created a timeline that describes 59 distinct PoS-related breaches where the following were (or are believed to be) true:

  • Malicious software was installed or a malicious actor gained unapproved access to the PoS system,
  • Card holder information was, or could have been, exfiltrated from the organization, and
  • The breach was reported via a publicized breach notification or by the media

The incidents were found through a combination of “intense Googling”, referencing various news outlets, such as KrebsOnSecurity and ThreatPost, and several breach databases including the VCDB VERIS Community Database and the OSF DataLossDB.

Looking at the data provided some interesting talking points.

For example, based on our research, the Fudruckers breach in 2002 may have been the first reported PoS malware-related breach. Also, out of all of the breaches we observed, the only businesses that went out of business as a direct result of a PoS malware infection were two Spicy Pickle restaurants in Kalamazoo, MI. (Readers, please correct us if we’re wrong…)

You can view the full timeline by clicking on the timeline image below:
Screenshot 2014-09-30 08.32.26
This is not the complete list of PoS breaches to date. According to the 2014 Verizon Data Breach Investigations Report (DBIR), 198 total incidents were reported related to PoS intrusions. Unfortunately for us, Verizon doesn’t name victims in the report nor do they divulge client-specific information on any breaches handled by any of the DBIR contributors.

The DBIR team did, however, report that RAM scrapers have passed keyloggers as the most common malware associated with POS intrusions and that compromises take seconds or minutes (87 percent combined) to happen in POS attacks – with exfiltration happening within minutes of a compromise in 88 percent of breaches. Attackers, meanwhile, have free reign for weeks, in 85 percent of breaches before they are discovered.

Verizon also said that “Regardless of how large the victim organization was or which methods were used to steal payment card information, there is another commonality shared in 99% of the cases: someone else told the victim they had suffered a breach.”

We plan on treating this breach timeline as a living document. As such, if you have any additions or corrections, please let us know ASAP and we’ll update the data. Also, if you think a breach-to-variant comparison for the malware employed in each case would be of value, please drop us a line.

Photo Credit: gruntzooki via Compfight cc

The post Point of Sale Breach Timeline appeared first on OpenDNS Security Labs.


As a follow up to our previous post, the agenda for the S4 Incident Responder and Researcher Conference, being held at OpenDNS HQ on September 18th, 2014, is now finalized.

Training Sessions


Time Title Presenter
8:00 Breakfast and coffee (first talk 9AM SHARP!) n/a
9:00 – 11:00 Malware Analysis for Incident Responders Lenny ZeltserThe SANS Institute
11:00 – 13:00 Using Bro* Anthony KaszaOpenDNS
13:00 – 15:00 Using Moloch Scott Floyd, Salesforce
15:00 – 17:00 IR 2.0 : Elastic Search, Logstash, Kibana (ELK) The folks at Elastic Search


Note: Lunch will be provided and available during the Bro session.


Evening Talks


Time Title Presenter
17:00 – 17:20 Measuring the IQ of your Threat Intelligence Feeds Alex PintoMLSec Project
17:30 – 17:50 FastResponder: New Open Source weapon to detect and understand a large scale compromise Sébastien LarinierGuillaume Arcas, and Olivier Zheng, Sekoia
18:00 – 18:20 Threat intelligence for Incident Responders Sam LilesCyberforensics Laboratory at Purdue
18:30 – 18:50 Building Your Own DFIR Sidekick Scott J RobertsGitHub
19:00 – 19:20 GRR and Rekall: State of the Union Elizabeth Schweinsberg and Kristinn Gudjonsson, Google
19:30 – 22:00 Networking, drinks, and conversation n/a


S4 Incident Responder and Researcher Conference Details


Who: Incident Responders, Security Researchers, Security Analysts
What: S4 (San Francisco Security Series): Incident Responder and Researcher Conference
When: September 18, 2014 (registration starts at 8:30 AM. First training at 9:00AM)
Where: OpenDNS HQ, 135 Bluxome St., San Francisco, CA 94107
Price: Free
Food and Drinks: Provided
Free and reliable WiFi: Provided
Event Hashtag: #s4con
OpenDNS Twitter Account: twitter.com/OpenDNS


Please reserve soon as space is limited. Again, the registration link can be found here: https://irespond.eventbrite.com.

We look forward to seeing you!

The post S4 Incident Responder and Researcher Conference: Agenda appeared first on OpenDNS Security Labs.

github-8-xxlEvery now and then I star a Git repo that looks interesting, has a tool I want to try later, or is something immediately useful. Most times, however, I tend to star them and forget about them. In reviewing some of my more recent ‘stars’, I thought it might be useful to share them with my readers.

q is a command line tool that allows direct execution of SQL-like queries on CSVs/TSVs (and any other tabular text files). q treats ordinary files as database tables, and supports all SQL constructs, such as WHERE, GROUP BY, JOINs etc. It supports automatic column name and column type detection, and provides full support for multiple encodings.

A dumb set of scripts for building a cuckoo rig

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Inspiration came from Tim Tomes’s PeepingTom Script. I just wanted to change some things, and then it became a thought exercise to write it myself.

EyeWitness is designed to run on Kali Linux. It will auto detect the file you give it with the -f flag as either being a text file with URLs on each new line, nmap xml output, or nessus xml output. The -t (timeout) flag is completely optional, and lets you provide the max time to wait when trying to render and screenshot a web page. The –open flag, which is optional, will open the URL in a new tab within iceweasel.

An Open Source Big Data Security Analytics tool that analyses pcap files using Apache Pig.

This tool is an open-source Flash-security helper with a very specific purpose: Find the flashVars of a naked SWF and display them, so a security tester can start hacking away without decompiling the code.

Flashbang is built upon Mozilla’s Shumway project. It runs in the browser but has a bunch of requirements to work properly.

A tool to retrieve malware directly from the source for security researchers.

PEframe is a open source tool to perform static analysis on (Portable Executable) malware. It’s released under GPL v2. JSON output and SQlite database support are been introduced since version 4.0.

Shell script to create spark lines in your shell – e.g. ▁▂▃▅▇

Combine gathers OSINT Threat Intelligence Feeds

Threat Intelligence Quotient Test – Code and data repository for the statistical analysis of TI feeds

AIL is a modular framework to analyze potential information leak from unstructured data source like pastes from Pastebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.