U.S. Finds ‘Backoff’ Hacker Tool Is Widespread

Photo
In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target. Credit Joe Raedle/Getty Images

More than 1,000 American businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores, the Department of Homeland Security said in an advisory released on Friday.

The attacks were much more pervasive than previously reported, the advisory said, and hackers were pilfering the data of millions of payment cards from American consumers without companies knowing about it. The breadth of the breaches, once considered limited to a handful of businesses, underscored the vulnerability of payment systems widely used by retail stores across the country.

On July 31, Homeland Security, along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry, warned companies to check their in-store cash register systems for a malware package that security experts called Backoff after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by antivirus products.

Since then, seven companies that sell and manage in-store cash register systems have confirmed to government officials that they each had multiple clients affected, the government said Friday. Some of those clients, like UPS and Supervalu, have stepped forward, but most have not.

In all, the Secret Service estimated that more than 1,000 American businesses had been affected.

According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company’s systems, for example, or employees with the ability to work remotely — and then deploying computers to guess user names and passwords at high speeds until they find a working combination.

The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off the cash register systems and send it back to their servers abroad.

Last year, in the largest known breach against a retailer’s payment system, hackers invaded Target for weeks without being detected. The hackers’ malware stole customers’ data directly off the magnetic stripes of credit and debit cards used by tens of millions of shoppers. Gregg Steinhafel, Target’s chief executive, and Beth M. Jacob, the company’s chief information officer, stepped down from their positions, largely because of the breach.

The Target breach exposed problems with the magnetic stripes on credit cards. Since then, banks and companies have taken a renewed interest in a chip-based smart card standard known as E.M.V., short for Europay-MasterCard-Visa, the technology’s first backers. Credit card companies have set an October 2015 deadline for American retailers to upgrade their payment systems.

“The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”

E.M.V. makes counterfeiting far more difficult than magnetic stripe cards, but analysts say they believe that most retailers will not meet the October 2015 deadline because of the cost to upgrade their terminals — from $500 to $1,000 per terminal, according to Javelin Strategy & Research.

With cash register malware rampant, however, they may have no choice.

Millions of American consumers’ payment card details are being sold on the black market, many of them taken from American companies that do not know their systems have been breached.

Unless companies search for Backoff on their systems, it can be difficult to identify. The Homeland Security report released on Friday recommends that companies contact their service providers, antivirus vendors and cash register system vendors to assess whether they have been compromised or are vulnerable to attack.

In its advisory in July, the Secret Service and Homeland Security recommended that companies limit the number of vendors with access to their internal network; require long, complex passwords that cannot easily be cracked by a computer; and lock employees and vendors out of their accounts after multiple login requests.

The agencies recommended that companies segregate crucial systems, like their cash registers, from corporate networks and install so-called two-factor authentication, which is a method that requires employees to enter a second, one-time password in addition to their usual credentials.

They also suggested that companies encrypt customers’ data from the moment their cards are swiped in the store, log all network activity and deploy security software that can alert technicians to unusual activity, like a cash register in a UPS Store in Tennessee communicating with a server in Russia.

Mike Isaac contributed reporting.