More than 1,000 U.S. retailers could be infected with malicious software lurking in their cash-register computers, allowing hackers to steal customers’ financial data, the Homeland Security Department said Friday.
The government urged businesses of all sizes to scan their point-of-sale systems for software known as “Backoff,” discovered last October. It had previously explained in detail how the software operates and how retailers can find and remove it.
Earlier this month, United Parcel Service said it found infected computers in 51 stores. UPS said it was not aware of any fraud that resulted from the infection, but said hackers may have taken customers’ names, addresses, email addresses and payment-card information.
The company apologized to customers and offered free identity-protection and credit-monitoring services to those who had shopped in those 51 stores.
Backoff was discovered in October, but according to the Homeland Security Department, the software wasn’t flagged by antivirus programs until this month.
Jerome Segura, a senior security researcher at cybersecurity-software firm Malware Bytes, said that the way that Backoff works is not unique. The program gains access to companies’ computers by finding insufficiently protected remote access points and duping computer users to download malware, tricks that have long been in use and are often automated.
What has changed, Segura said, is that the hackers deploying it have become increasingly sophisticated about identifying high-value computer systems after they’ve broken into them.
“Once the bad guys realized they were able to penetrate larger networks, they saw the opportunity to develop malware that’s specifically for credit cards and can evade antivirus programs,” he said.
By using Backoff selectively, rather than distributing it widely on the internet, the hackers likely managed to escape detection for longer. Following Homeland Security’s warnings in July, however, companies are much better able to probe their own computers for Backoff.
The battle between retailers and hackers is an ongoing one. Retail giant Target, based in Minneapolis, was targeted by hackers last year and disclosed in December that a data breach compromised 40 million credit- and debit-card accounts between Nov. 27 and Dec. 15. On Jan. 10, it said hackers stole personal information – including names, phone numbers and email and mailing addresses – from as many as 70 million customers.
Target, the third-largest retailer, has been overhauling its security department and systems in the wake of the data breach that occurred at the end of 2013, which hurt profits, sales and its reputation among shoppers worried about the security of their personal data. Target is now accelerating its $100 million plan to roll out chip-based credit-card technology in all of its nearly 1,800 stores.
So-called chip-and-pin technology would allow for more-secure transactions than the magnetic-strip cards that most Americans use now. The technology has already been adopted in Europe and elsewhere.
Though improving card technology and updating malware detection would help retailers defend themselves, Segura said that the recent profusion of computer breaches should make companies think harder about how they use remote-access systems for employees and vendors. By limiting what portions of their systems can be accessed remotely, he said, companies can limit the damage that hackers can do.
“This past year-and-a-half has been breach after breach,” he said. “It’s incredible.”