Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says the malware strain known as BlackPOS behind the Target attack and likely the Neiman Marcus attack has been linked to at least six other retailers.
In a Jan. 17 blog, IntelCrawler claims that BlackPOS had been traced back to a 17-year-old coder in Russia. According to the firm's research, this retail malware strain was first released in March 2013.
"Most of the victims are department stores," Komarov writes in the Jan. 17 blog. "More BlackPOS infections, as well as new breaches, can appear very soon; retailers and security community should be prepared for them."
The names of the targets were not revealed, but the IP addresses affected are based in Arizona, California, Colorado and New York, he says.
Security blogger Brian Krebs, who was first to break the Target breach in mid-December, also noted last week that BlackPOS is the strain that likely infected Target's point-of-sale network and subsequently exposed 40 million U.S. credit and debit cards and personal information about 70 million Target customers Krebs, however, has questioned whether IntelCrawler is right about a 17-year-old being behind the development of BlackPOS.
In tweets posted Jan. 19 and Jan. 20, Krebs claims media reports were too quick to pick up and run with IntelCrawler's claims.
But Komarov says IntelCrawler is standing by its research.
Banking institutions can't control or predict these new strains of malware, but they are working to identify points of compromise sooner, through enhanced fraud detection and account monitoring. Many issuers also say it's less costly for institutions, long-term, to reissue cards that have been linked to a retail attack, versus waiting for signs of fraud to emerge.
And this exercise could be an ongoing trend, fraud experts predict, as more breaches linked to malware, such as BlackPOS, take aim at the retail and hospitality industries.
BlackPOS Not New
Threats linked to BlackPOS are not new. Komarov in July 2013 speculated that BlackPOS or a similar variant was the malware behind the POS breach of Honolulu-based upscale restaurant chain Roy's.
The next month, during an interview with BankInfoSecurity, Komarov said nearly 30 command-and-control centers around the world had been infected with BlackPOS and similar retail malware strains, such as Dexter and Alina.
"It seems to be Ukrainian authors who are responsible for it," he noted during that interview.
Now Komarov tells BankInfoSecurity that another retail malware strain known as Decebal also has been linked to coders in Romania. In many ways, this emerging strain is even more dangerous, he says.
"The Decebal malware uses Windows Management Interface [WMI] in order to perform some antivirus bypass techniques and system information collection," Intelcrawler notes in a Jan. 16 blog. "The functional code is less than 400 lines of code, which shows the evolution of point-of-sale malware. Past incidents in retailers, such as Target and Neiman Marcus, show that this niche has become one of the most attractive for modern cyber-criminals. The compact code allows for the securing of credit cards at the point of sale."
On Jan. 16, the Wall Street Journal reported that parts of the malicious code used in the Target hit were written in Russian.
Those findings were included in a report provided last week by the Department of Homeland Security to financial-services companies and retailers. The report has not been made public.
To Reissue or Not?
Banking institutions know threats are escalating, but they can't control the security of third parties, such as retailers, card-issuing executives say. Thus, card-issuing institutions may individually determine it's more cost-effective to simply replace cards when they're compromised during a retail breach, says one executive with a regional card issuer says.
"There should be more cards for sale on the websites in underground forums just due to the sheer volume of cards that were compromised," the issuer says. Compromised card numbers are often sold in so-called underground online forums that cater to the black market (see Exclusive: Inside Cisco Security Report ).
JPMorgan Chase on Jan. 14 confirmed that it is reissuing 2 million cards connected to Target. And The New York Times on Jan. 15 reported that Citibank announced plans to reissue all customer debit cards affected by the Target attack.
Brian Davis, spokesman for Branch Banking and Trust Co., BB&T, says BB&T has already begun reissuance of credit cards and is spearheading an educational campaign to inform customers about recent retail attacks.
"BB&T is reissuing credit cards impacted by the Target data breach," he says. "Letters are being sent to clients affected by the breach and information was posted about our actions on BBT.com and through online banking. BB&T is closely monitoring debit cards for those potentially impacted and is reissuing them on a selectively basis."
Howie Wu, vice president of virtual banking for BECU, formerly Boeing Employees' Credit Union, says all cards impacted by Target are being reissued. "Currently, the process involves actively monitoring impacted cards while the new cards are being reissued and once the new cards are received, we are then deactivating the impacted card so as to minimize the impact to our membership," he says.
In a Dec. 18 post on the BECU website, the credit union notified members that it was taking proactive steps to mitigate fraud losses.
One executive with a regional issuer in the Midwest says all cards impacted by Target were automatically reissued once the timeline of the breach and those impacted was disclosed by the card brands.
"We sent out a letter and in the letter we outlined the specific date the compromised cards would be shut down, or if customer wanted to shut down the card before that date, they could call in and have it shut down," the executive, who asked to remain anonymous, says. "Currently, we have about 75 percent new activation and 50 percent of compromised cards shut down. Also, before we even auto-reissued cards, customers were coming in and calling to have cards shut down, once they heard it on the news, especially the customers that had fraud on their accounts in the past."
Another executive with a leading issuer on the West Coast, who also asked not to be named, says all cards impacted by the Target attack at that institution are being issued as well. The institution also is taking proactive steps to educate customers about potential fraud via e-mail, auto-dialer, online and physical mail.
"We are informing them that we are aware of the issue and monitoring accounts for suspicious activity through increased fraud strategy placement," the executive says.
Fraud linked the Neiman Marcus breach, so far, has been low, this issuer says.
Waiting it Out
But Ben Knieff, an independent financial fraud expert and consultant, says some banking institutions are waiting it out to see if reissuing cards is truly necessary.
"It appears the cost-benefit doesn't work out at a broad scale, so it makes more sense to reissue only once some damage has been done," he says. "On the surface, this may look bad for consumers, but I think it really is the most rational approach - it doesn't leave people without access to their payment card for a few days; and with such large breaches, the chances any particular individual will be hit is relatively small."
Knieff also says criminals aren't likely to use all the numbers that were breached. "I suspect a lot of the exposed data won't actually be used, or won't be used for some time, and possibly then difficult to trace back to a given event," he says.
Reissuance is not the most critical piece, Knieff argues. Fraud monitoring and detection can go a long way toward mitigating risk and fraud losses that result when cards are breached, he says.
"A lot of institutions are getting smarter about the fraud detection logic they are using," Knieff says. "This isn't free, but is technically feasible, given some time and effort. These sorts of big breaches, in some ways, help the case for loss prevention managers - they get some attention and funding, which they might have been struggling for. Oddly enough, these sorts of bad events often wind up helping the fraud prevention teams get better budgets and allow them to be more proactive and effective."