Petronella Blog Archive

Visit our New Blog

Inside the Sally Beauty Hack

Blog Post

A few weeks ago, Sally Beauty Supply reported that they had had about 25,000 customer credit cards stolen from them, but the online black market that was selling them had 260,000, though that might be a conservative estimate, and listed them by zip code, indicating that all 2,600 locations had been hit.  That was the end of the story from Sally, but there's more to the story.

The first warnings of a breach came last year when SBS's security was tripped over malware being installed in their point-of-sale systems.  The malware program, designed to steal credit card information, was named to look like it was a legitimate piece of software in the system and even included a time and date stamp to match the file for the sake of consistency.

Hackers were able to access the system through a district manager's login to a remote access portal for traveling employees.  From there they were able to map out the entire network and got further usernames and passwords from Visual Basic scripts, used to automate tasks.  They were then able to use the credentials of a network admin to copy malware to every cash register in the company.  The stolen information was then encoded so it wouldn't look like credit card information then passed along in a way that wouldn't show up in logs.

Despite the craftiness of the hackers, their downfall came when part of the malware broke the Net Logon service, which is a part of Windows that verifies login requests for networks.  That error caused problems with the registers communications.  The malware could have stolen around a million credit cards given the number of transactions processed while it was active, but the Net Logon issue caused some formatting issues for the information that did go through to the thieves.

Based on domains to which the stolen credit card information was sent, it appears that the hackers were Ukrainian.  Other evidence points to it being the same hacker group that hit Target and Home Depot last year.