6 More Retailers Breached?

Card Issuers Take Steps to Help Prevent Fraud

6 More Retailers Breached?


Evidence is mounting that the malware attacks reported by Target Corp. and Neiman Marcus are part of a wider assault against U.S. retailers.

Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says the malware strain known as BlackPOS behind the Target attack and likely the Neiman Marcus attack has been linked to at least six other retailers.

In a Jan. 17 blog, IntelCrawler claims that BlackPOS had been traced back to a 17-year-old coder in Russia. According to the firm's research, this retail malware strain was first released in March 2013.

"Most of the victims are department stores," Komarov writes in the Jan. 17 blog. "More BlackPOS infections, as well as new breaches, can appear very soon; retailers and security community should be prepared for them."

The names of the targets were not revealed, but the IP addresses affected are based in Arizona, California, Colorado and New York, he says.

Security blogger Brian Krebs, who was first to break the Target breach in mid-December, also noted last week that BlackPOS is the strain that likely infected Target's point-of-sale network and subsequently exposed 40 million U.S. credit and debit cards and personal information about 70 million Target customers Krebs, however, has questioned whether IntelCrawler is right about a 17-year-old being behind the development of BlackPOS.

In tweets posted Jan. 19 and Jan. 20, Krebs claims media reports were too quick to pick up and run with IntelCrawler's claims.

But Komarov says IntelCrawler is standing by its research.

Banking institutions can't control or predict these new strains of malware, but they are working to identify points of compromise sooner, through enhanced fraud detection and account monitoring. Many issuers also say it's less costly for institutions, long-term, to reissue cards that have been linked to a retail attack, versus waiting for signs of fraud to emerge.

And this exercise could be an ongoing trend, fraud experts predict, as more breaches linked to malware, such as BlackPOS, take aim at the retail and hospitality industries.

BlackPOS Not New

Threats linked to BlackPOS are not new. Komarov in July 2013 speculated that BlackPOS or a similar variant was the malware behind the POS breach of Honolulu-based upscale restaurant chain Roy's.

The next month, during an interview with BankInfoSecurity, Komarov said nearly 30 command-and-control centers around the world had been infected with BlackPOS and similar retail malware strains, such as Dexter and Alina.

"It seems to be Ukrainian authors who are responsible for it," he noted during that interview.

Now Komarov tells BankInfoSecurity that another retail malware strain known as Decebal also has been linked to coders in Romania. In many ways, this emerging strain is even more dangerous, he says.

"The Decebal malware uses Windows Management Interface [WMI] in order to perform some antivirus bypass techniques and system information collection," Intelcrawler notes in a Jan. 16 blog. "The functional code is less than 400 lines of code, which shows the evolution of point-of-sale malware. Past incidents in retailers, such as Target and Neiman Marcus, show that this niche has become one of the most attractive for modern cyber-criminals. The compact code allows for the securing of credit cards at the point of sale."

On Jan. 16, the Wall Street Journal reported that parts of the malicious code used in the Target hit were written in Russian.