"The sniffer malware that surreptitiously siphoned tons of payment
card data from card processor Heartland Payment Systems hid in an
unallocated portion of a server’s disk. The malware, which was
ultimately detected courtesy of a trail of temp files, was hidden so
well that it eluded two different teams of forensic investigators
brought in to find it after fraud alerts went off at both Visa and
MasterCard, according to Heartland CFO Robert Baldwin.
“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.
Payment
security experts pretty much agreed that hiding files in unallocated
disk space is a fairly well-known tactic. But it requires such a high
level of access—as well as the skill to manipulate the operating
system—that is also indicates a very sophisticated attack. One of those
security experts—who works for a very large U.S. retail chain and asked
to have her name withheld—speculated that the complex nature of the
hiding place, coupled with the relatively careless leaving of temp
files, could suggest a less-skilled cyberthief who simply obtained some
very powerful tools."
