More than 1,000 US businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu, and most recently UPS Stores.
The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from US consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.
On July 31, Homeland Security along with the Secret Service, the National Cybersecurity and Communications Integration Center, and their partners in the security industry, warned companies to check their in-store cash register systems for malware, which security experts dubbed “Backoff” after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by antivirus products.
Since then, seven companies that sell and manage in-store cash register systems confirmed to government officials that they each have had multiple clients affected. Some, like UPS and Supervalu, have stepped forward, but the vast majority have not.
Altogether, the Secret Service estimates that more than 1,000 US businesses have been affected.
According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company’s systems or employees with the ability to work remotely — and then deploying computers to high-speed guess usernames and passwords until they’ve hit the right combination.
The hackers use those footholds to crawl through corporate networks until they gain access to the cash register systems. From there, criminals are scraping payment card data off the cash register systems and sending it back, through various hop points, to their servers abroad.
Millions of American consumers’ payment card details are being sold on the black market, many of them from US companies that do not know their systems have been breached.
Unless companies search for Backoff on their systems, it can be difficult to identify. The agency recommends companies contact their service providers, antivirus vendors, and cash register system vendor to assess whether they’ve been compromised or are vulnerable to attack.
he Secret Service and Homeland Security recommended in a July 31 advisory that companies limit the number of vendors with access to their internal network; require long, complex passwords that cannot easily be cracked by a computer, and lock employees and vendors out of their accounts after multiple login requests.
The agencies recommended that companies segregate crucial systems, like cash registers, from corporate networks and install so-called two-factor authentication, which is a method that forces employees to enter a second, one-time password in addition to their usual credentials.