P.F. Chang's Breach: Link to Target?

Experts Debate Possible Connections in Apparent Cyber-Attack
P.F. Chang's Breach: Link to Target?

Restaurant chain P.F. Chang's China Bistro continues to investigate an apparent payments breach and subsequent payment card fraud. But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches.

See Also: Gartner Market Guide for DFIR Retainer Services

But while the experts disagree about the details of this latest alleged breach, they agree it's time for retailers to tighten network security.

"It's really got the retail industry up in arms," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "CISOs are scared of getting fired, they are afraid of the consumer reaction and they're just trying to get handle on all of this."

The high-profile nature of the recent card compromises is putting more emphasis on retail network security, Litan adds.

"No one even depends on PCI compliance anymore for security," Litan says. "Everyone realizes it's not working. Retailers want card data out of their network, so these attacks really have promoted greater security. And I think you will see a lot of retailers moving to point-to-point encryption and tokenization as a result."

The Details So Far

P.F. Chang's says it's working with authorities to learn more about the nature of the apparent breach and subsequent fraud that has been reported at several of its locations nationwide (see P.F. Chang's Investigating Card Breach).

"P.F. Chang's is aware of a situation where stolen credit cards used at several of its restaurants experienced fraud on them," says Anne Deanovic, a spokeswoman for the company. "We will provide an update as soon as we have additional information."

Simon Eappariello, senior vice president at iboss Network Security, says it's too early to say with certainty what may have happened at P.F. Chang's. But based on the what's known so far, it appears that malware infected the chain's POS network in a way that resembles what has been seen in other retail attacks, he says.

"The fact that multiple locations are implicated would suggest that either a central point on the network was infiltrated and then used to exfiltrate data from a central database, or was used as an internal attack point to spread malware to POS equipment at the branch locations," Eappariello says. "It's also possible their network was compromised some time ago and then access to their network was sold on the digital underground market to someone looking to exploit this type of data - possibly even an insider targeted attack."

Litan says the apparent P.F. Chang's attack seems to be based on the same variations of BlackPOS malware used in many of the recent retail attacks reported over the last year.

She reaches that conclusion because the cards allegedly tied to P.F. Chang's apparently have cropped up for sale in the same underground forum where cards breached through Target and Sally were sold.

Card numbers connected to P.F. Chang's reportedly appeared this week in a black-market carding forum run by a hacker known as Rescator - where hackers also posted numbers linked to purchases at Target and Sally Beauty, according to security blogger Brian Krebs (see Sally Beauty Breach: Link to Target?).

Link to Target

Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., says he believes that the apparent P.F. Chang's attack is connected to the same group that hacked Target.

"You cannot underestimate the lateral movement of the hackers who infiltrated Target," he says. "If I was the cybercriminal, I would have laterally moved my footprint into the third-party trusted card processors' and managed service providers' systems as well, which would have allowed me to island-hop into P.F. Chang's."

Island hopping refers to hacking one network for the purpose of gaining access to a trusted, tethered network, usually of a third-party, Kellermann says.

In the Target breach, a refrigeration services vendor contracted by the retailer was compromised after credentials used to access some of its critical servers were stolen (see Target Vendor Acknowledges Breach).

The attackers apparently compromised the vendor's network and then used the vendor's connection to Target to breach the retailer's POS network.

Kellermann argues that the same type of lateral strategy may have been used to compromise P.F. Chang's.

"The level of sophistication demonstrated in the Target campaign should be appreciated," he says. "Not per the delivery vector, i.e., attacking the subcontractor; but the island hopping and elegant lateral movement."

But another cyber-intelligence researcher close to the Target investigation, who asked not to be named, says it's doubtful the alleged compromise of P.F. Chang's was a lateral attack. If the breach is confirmed, he says it will more likely be linked to a direct attack on P.F. Chang's network, rather than an indirect attack first waged against a vendor or other trusted third party.

More Attacks Expected

For months, researchers have been saying more attacks and card compromises are on the way. Andrew Komarov, CEO of cybercrime intelligence firm IntelCrawler, says news of the apparent P.F. Chang's breach just further supports that the U.S. payments infrastructure is vulnerable. Jumping to conclusions about links to Target and other retailers is counterproductive at this point, he argues.

Instead, what firms should be focused on now, Komarov says, is addressing some of the most basic security weaknesses that have allowed these types of compromises to occur in the first place.

"It is not so clear if Target and this case are linked, as the offline POS niche is very attractive for cybercriminals," he says. "We monitor infected POS terminals all over the world and can say that lots of individuals, and also experienced carding teams, are looking for insecure merchants," which have vulnerable remote-access portals.

Curt Wilson, senior research analyst at online security firm Arbor Networks, says a number of retailers will continue to be breached. "I think that far more POS systems are compromised than people suspect," he says.

It's a point echoed by Steve Hultquist, chief information officer of cyber analytics firm RedSeal Networks. "The more we read about possible breaches, the clearer it becomes: The complexity of modern networks makes the security of that network extremely challenging. You can't secure what you can't see, and since most organizations can't 'see' their network, securing it becomes an effort almost like chasing your tail."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.