Are Sally Beauty, Harbortouch Breaches Linked?Weighing Theories About Latest Apparent Intrusion
It's unlikely that the same hackers that hit Sally Beauty Supply in 2014 struck the retailer a second time this year, several threat intelligence experts now say.
Earlier, other experts had theorized that a suspected second attack at the retailer could be a sign that the company did not fully eradicate malware linked to its first attack or that the same hackers took advantage of an undiscovered "backdoor" they installed (see: New Sally Beauty Breach: Old Intrusion?).
While the 2014 malware attack against Sally Beauty was suspected by many observers to be a network intrusion, similar to the one that struck Target Corp., this most recent apparent intrusion is more likely linked to a point-of-sale vendor vulnerability related to remote access malware, several observers say. So, if the "unusual" card activity that the retailer described in a May 4 statement turns out to be the result of a second breach, then it's probably the work of a whole new set of actors than those responsible for the retailer's 2014 breach, they say.
The same type of remote-access malware that apparently recently infected POS vendor Harbortouch Payments may have infected Sally Beauty, based on the timing of the incidents and other undisclosed factors, says one threat researcher who has direct knowledge about the Harbortouch breach and the 2014 Sally breach, but asked not to be named.
John Buzzard, who heads FICO's Card Alert Service, says a link between Sally Beauty and the Harbortouch malware is "plausible," although he initially speculated the apparent second breach at Sally Beauty could be connected to the 2014 attack. "I feel as if there are one or two major hacker organizations out there pounding away at vulnerable merchants," he says.
In April, Harbortouch announced that malware installed on POS systems it supplies had impacted a small percentage of its merchant customers.
"The advanced malware was designed to avoid detection by the anti-virus program running on the POS system," the company told Information Security Media Group on April 22. "Within hours of detecting the incident, Harbortouch identified and removed the malware from affected systems."
Sally Beauty is not a customer of Harbortouch, "nor is there any connection between Harbortouch and Sally Beauty," Harbortouch spokesman Nate Hirshberg tells ISMG.
A spokesperson for Sally Beauty declined to comment about a possible breach connection to Harbortouch, saying the company would not comment on speculation.
But the unnamed threat researcher says the sophisticated malware used in the Harbortouch malware, which is designed to evade detection, likely was also used in the apparent second attack against Sally Beauty.
Jerome Segura, a senior security researcher at malware-detection firm Malwarebytes, says that while he does not have any direct knowledge about the Harbortouch breach or the apparent second Sally Beauty breach, it appears both could involve remote access malware known as Backoff.
Backoff is random-access-memory [RAM] scraping malware used to steal credit and debit card data. It's been linked to numerous remote-access attacks on POS systems, especially those used by smaller U.S. merchants. In a typical attack, hackers exploit remote-access vulnerabilities on POS systems to install the malware and exfiltrate data.
In August 2014, the Department of Homeland Security issued an alert about Backoff, warning that commonly used remote desktop applications, such as Apple Remote Desktop, Chrome Remote Desktop, LogMeIn, Join.me, Microsoft's Remote Desktop, Pulseway and Splashtop 2, may have been compromised by attackers (see 1,000 Businesses Hit By POS Malware).
"I found an interesting blog post from Harbortouch that got me thinking about the possibility that the Sally breach is related to the Harbortouch compromise," Segura says. In the blog posted in June 2014, Harbortouch warned its merchant clients to "limit any remote access into POS systems by third-party management vendors to reduce this risk."
"Remote access to POS is definitely a big issue, and previous breaches have shown that weak passwords or infected PCs used to remote login were the cause of the problem," he says. "In that regard, third-party management vendors are yet another element in the chain of trust that could get exploited and become a security risk."
In recent months, other POS devices have apparently proven vulnerable to remote-access attacks.
In late April, Compass Group, a Charlotte, N.C.-based food service organization, announced that malware had infected self-service payment kiosk provided by POS vendor NEXTEP to a limited number of its on-site dining locations. Just one month earlier, in March, another NEXTEP customer, the Missouri-based restaurant chain Zoup, announced that it had found and removed malware from its NEXTEP POS systems (see POS Vendor Investigates Breach).
While neither Compass nor Zoup noted how their POS devices were accessed, Al Pascual, director of fraud and security at Javelin Strategy & Research, says it's likely remote-access malware was to blame.
"This is more of the same - cybercriminals are testing every stakeholder in the payments ecosystem for vulnerabilities, and POS systems are a critical chokepoint for payment data that will continue to be exploited," he says. "I can't say specifically how this happened, though poor remote access authentication is the most likely suspect."