SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus.
The Homeland Security Department warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google, and Microsoft — that allows outside contractors and employees to tap into computer networks over the Internet.
When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.
The report, which Homeland Security produced with the Secret Service, Trustwave SpiderLabs, an online security firm based in Chicago, and other industry partners, is expected to be released on Thursday. It provides insight into what retailers are up against as hackers find ways into computer networks without tripping security systems.
It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.
Once inside the network, the hackers deploy malicious software called “Backoff” that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.
In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer’s computerized heating and cooling software, two people with knowledge of the inquiry said.
In an interview, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”
“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Maiorino said. “You have to simplify and consolidate those as much as possible.”
Homeland Security first discovered the Backoff malware (named for a word in its code) in October 2013. In the last few weeks, the agency said that it had come across the malware in three separate investigations. Most troubling, the agency said that even fully updated antivirus systems were failing to catch it.
Low detection rates meant that “fully updated antivirus engines on fully patched computers could not identify the malware as malicious,” the report concluded.
Backoff and its variants all perform four functions. First, they scrape the memory of in-store payment systems for credit and debit card “track” data, which can include an account number, expiration dates, and personal identification numbers, or PINs.
The malware logs keystrokes, like when a customer manually enters her PIN, and communicates back to the attackers’ computers so they can remove payment data, update the malware, or delete it to escape detection.
The hackers also install a so-called backdoor into in-store payment machines, ensuring a foothold even if the machines crash or are reset. And they continue to tweak the malware to add functions and make it less detectable to security researchers.
Law enforcement officials say antivirus software alone will not prevent these attacks. They recommend companies take what is called a “defense in depth” approach, layering different technologies and empowering security professionals to monitor systems for unusual behavior.
Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked; and lock accounts after repeated login requests.
The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.
The report also recommends encrypting customers’ payment data from the moment their cards are swiped at the store, logging all network activity, and deploying security systems that can alert staff to unusual behavior, like a server communicating with a strange computer in Russia.