Friday 29 March 2024
 
»
 
»
MALWARE ATTACK

Retailers warned on major credit card fraud

Washington, January 24, 2014

The FBI has warned US retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target Corp in the holiday shopping season.

The US Federal Bureau of Investigation distributed a confidential, three-page report to retail companies last week describing the risks posed by "memory-parsing" malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI report, seen by Reuters.

"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the US make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said.

The report was dated January 17 and entitled "Recent Cyber Intrusion Events Directed Toward Retail Firms." A spokeswoman for the FBI confirmed the agency had issued the report as part of efforts to share information about threats with the private sector.

Retail, credit card and bank industry executives have become increasingly concerned about the security of payment card networks after Target, the No. 3 US retailer, last month disclosed one of the biggest retail cyber attacks in history.

The attack ran undetected for 19 days during the busy holiday shopping season and resulted in the theft of about 40 million credit and debit card records. The personal information of 70 million customers was also compromised.

Luxury retail chain Neiman Marcus has said it too was the victim of a cyber attack, and sources have told Reuters that other retail chains have also been breached. Neiman Marcus said about 1.1 million customer cards were exposed by a data breach from July 16 to October 30 last year.

In all these attacks, cyber criminals used memory-parsing software, also known as a "RAM scraper." When a customer swipes a credit or debit card, the POS terminal grabs the transaction data from the magnetic stripe and transfers it to the retailer's payment processing provider. While the data is encrypted during the process, RAM scrapers extract the information while it is in the computer's live memory, where it very briefly appears in plain text.

RAM scraping technology has been around for a long time, but its use has increased in recent years. Developers of the malware have also enhanced its features to make it more difficult to be detected by anti-virus software deployed on POS systems running Windows software.

The FBI said in its report that one variant of the malicious POS software, known as Alina, included an option that allowed remote upgrades, making it tougher for corporate security teams to identify and eradicate it. The report said at least one type of malware has been offered for sale for as much as $6,000 in a "well-known" underground forum.

"The high dollar value gained from some of these compromises can encourage intruders to develop high sophistication methodologies, as well as incorporate mechanisms for the actors to remain undetected," the report said.

One cyber security consultant who has reviewed the FBI report, said the findings were troubling.

"Everybody we work with in the retail space is scared to death because they don't have a lot of defenses to prepare against these types of attacks," said the consultant, who is advising several retailers in current investigations. - Reuters
 




Tags: credit card | Fraud | Retailers |

calendarCalendar of Events

Ads