Hacking attacks like those that siphoned credit-card data from Target Corp. and Neiman Marcus Group Ltd. are thought to be part of an unprecedented assault on a growing number of retailers, according to a security company working with the government.
The cyberattacks on retailers may involve multiple groups of hackers who appear to be working from a sophisticated piece of software code that began circulating on underground websites last June, iSIGHT Partners, a Dallas-based security company that tracks cybercriminals, wrote in a report.
The report doesn’t say whether the software, dubbed Kaptoxa, was used in the theft of as many as 40 million customer credit- and debit-card accounts from Target. However, a person briefed on the investigation, who asked not to be identified because the matter is confidential, said Kaptoxa is the same software that infected Target. Molly Snyder, a spokesman for Target, declined to comment.
“We haven’t seen the last of this,” said iSIGHT Chief Executive Officer John Watters. “Now it’s a race to the bank with the criminals rushing to hijack the data and convert it into criminal gain before the door to profitability is closed.”
According to the iSIGHT report, the scale and sophistication of the campaign against retailers’ point-ofsale systems - the terminals on which customers swipe credit and debit cards - may be the largest ever seen, escaping elaborate industry efforts to secure a system that processes more than $3.3 trillion in U.S. transactions annually.
Target, the second-largest U.S. discount chain, has said the theft of customer data may have affected anyone who provided basic information during the past several years. In December, the company said credit- and debit card data for as many as 40 million people who shopped in its stores between Nov. 27 and Dec. 15 may have been compromised. Earlier this month, the company said the thieves also acquired access to the names, phone numbers, and home and email addresses of as many 70 million people.
Target hasn’t disclosed details about how its point-of-sale system was breached.
Earlier this month, Neiman Marcus said some unauthorized purchases may have been made with customer cards, without disclosing the scope of the breach. Credit-card processors alerted the Dallas-based luxury chain to the incursion in mid-December, and the company is working with federal authorities and investigating the matter, according to a statement.
Neiman Marcus and Target are being investigated by Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan about the theft of customer credit-card data.
Within a week of Target’s disclosure about the breach, it was facing almost two dozen lawsuits filed by customers. It also has been sued by Putnam,Conn.-based Putnam Bank about claims the security breakdown cost it money because it forced the bank to issue customer alerts and new cards while reimbursing account holders for their own losses.
The two breaches complicate matters for retailers already struggling to attract shoppers and cutting forecasts after engaging in a margin-eating price war.
Other states involved in the Target probe include Florida, Iowa, Massachusetts and Pennsylvania, spokesmen for those states’ attorneys general have said.
David Robertson, publisher of The Nilson Report, an industry newsletter, estimated that the value of Visa, MasterCard, American Express and Discover card payments topped $4 trillion in 2013, up more than 8 percent from 2012. He projected that the value will top $5 trillion by 2015.
When the Kaptoxa malware was first analyzed by federal investigators in December, it hadn’t been detected by any of the more than two-dozen antivirus systems that are meant to protect computers from infection, according to the iSIGHT report.
A nonpublic report issued by the U.S. Department of Homeland Security and written with iSIGHT’s help will be shared at some point with retailers and industry associations, according to Department of Homeland Security spokesman S.Y. Lee. That report outlines technical details of the malware and other aspects of the attack, according to iSIGHT.
According to the iSIGHT analysis, the software infects point-of-sale terminals, sends out the stolen information, then covers its tracks by automatically deleting those files.
The difficulty of detecting and tracing the attacks is what makes them so dangerous and has allowed hackers to breach multiple retailers during the past several months, according to the report.
The malicious software, named for a Russian word that appears several times in the code, was sold in black-market Web forums starting last summer and was customized by hackers to fit specific victims, making attacks more effective, iSIGHT’s Watters said.
The attacks show how cybercriminals are outpacing the ability of companies to respond, Watters said.
Information for this article was contributed by Cotten Timberlake and Renee Dudley of Bloomberg News.
Business, Pages 19 on 01/20/2014