The U.S. Federal Bureau of Investigation distributed a confidential,
three-page report to retail companies last week describing the risks
posed by "memory-parsing" malware that infects point-of-sale (POS)
systems, which include cash registers and credit-card swiping
machines found in store checkout aisles.
"We believe POS malware crime will continue to grow over the near
term, despite law enforcement and security firms' actions to
mitigate it," said the FBI report, seen by Reuters.
"The accessibility of the malware on underground forums, the
affordability of the software and the huge potential profits to be
made from retail POS systems in the United States make this type of
financially motivated cyber crime attractive to a wide range of
actors," the FBI said.
The report was dated January 17 and entitled "Recent Cyber Intrusion
Events Directed Toward Retail Firms." A spokeswoman for the FBI
confirmed the agency had issued the report as part of efforts to
share information about threats with the private sector.
Retail, credit card and bank industry executives have become
increasingly concerned about the security of payment card networks
after Target, the No. 3 U.S. retailer, last month disclosed one of
the biggest retail cyber attacks in history.
The attack ran undetected for 19 days during the busy holiday
shopping season and resulted in the theft of about 40 million credit
and debit card records. The personal information of 70 million
customers was also compromised.
Luxury retail chain Neiman Marcus has said it too was the victim of
a cyber attack, and sources have told Reuters that other retail
chains have also been breached. Neiman Marcus said about 1.1 million
customer cards were exposed by a data breach from July 16 to October
30 last year.
In all these attacks, cyber criminals used memory-parsing software,
also known as a "RAM scraper." When a customer swipes a credit or
debit card, the POS terminal grabs the transaction data from the
magnetic stripe and transfers it to the retailer's payment
processing provider. While the data is encrypted during the process,
RAM scrapers extract the information while it is in the computer's
live memory, where it very briefly appears in plain text.
RAM scraping technology has been around for a long time, but its use
has increased in recent years. Developers of the malware have also
enhanced its features to make it more difficult to be detected by
anti-virus software deployed on POS systems running Windows
MALWARE ON SALE UNDERGROUND
The FBI said in its report that one variant of the malicious POS
software, known as Alina, included an option that allowed remote
upgrades, making it tougher for corporate security teams to identify
and eradicate it. The report said at least one type of malware has
been offered for sale for as much as $6,000 in a "well-known"
[to top of second column]
"The high dollar value gained from some of these compromises can
encourage intruders to develop high sophistication methodologies, as
well as incorporate mechanisms for the actors to remain undetected,"
the report said.
Asked to comment on the FBI warning, the National Retail Federation
industry trade group said retailers are alert to cyber risks.
"Retailers have been and remain vigilant in their efforts to provide
the highest level of security for their data systems in order to
protect against malicious and criminal acts," NRF Vice President Tom
Litchford said in a statement.
"As the criminal investigation continues and more information
becomes available, you can be sure that the retail industry will be
responsive and engaged to ensure this particular cyber-attack does
not happen again."
One cyber security consultant who has reviewed the FBI report, said
the findings were troubling.
"Everybody we work with in the retail space is scared to death
because they don't have a lot of defenses to prepare against these
types of attacks," said the consultant, who is advising several
retailers in current investigations.
"This is not just based on anybody saying 'This is going to happen.'
This is based on statistical data that the FBI is seeing," said the
consultant, who was not authorized to publicly comment on the
details of the report.
Retailers need to move quickly to get better tools in their networks
that can analyze traffic patterns on the fly and identify any
unusual activity, said another expert in retail security, who has
audited POS systems to find vulnerabilities that hackers can
The expert said it is more difficult for small-to-mid sized
retailers to do this because they do not have as much money and
expertise as major retailers.
The FBI report said the bulk of the POS malware cases that the
agency has investigated involve small-to-mid sized local or regional
businesses, whose estimated losses each range from tens of thousands
of dollars to millions of dollars.
The United States Secret Service usually takes the lead in credit
card breach investigations for the federal government, though the
FBI sometimes opens its own cases or asked to assist. The Secret
Service is leading the investigations into the breaches at Target
and Neiman Marcus.
A spokesman for the Secret Service declined to comment on the FBI
report to retailers.
(Reporting by Jim Finkle and Mark
Hosenball; editing by Tiffany Wu and Grant McCool)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.