Retail Breach Contained; Fraud OngoingRemote Software Attack Exposed Stored Card Numbers
Federal investigators say a malware attack that targeted a select group of Kentucky and Southern Indiana merchants has been contained (see Retailers Attacked by POS Malware). But the software vulnerability, which exposed those merchants' point-of-sale networks to compromise, could still have farther-reaching effects.
"This is still ongoing," says Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust."Even though the affected point-of-sale systems have been shut down, the hackers are still using the information, so fraud is continuing to come in. I know every bank in this area has been affected, and we've enhanced our detection systems to ensure we catch transactions that are suspected to be fraudulent."
The attack, which was traced back to a vulnerability in software used to remotely access POS devices and systems, likely began sometime in mid-February, says Craig Hutzell, a spokesman for the Kentucky Electronic Crimes Task Force, which is part of the Secret Service.
"The number of merchants infected with the malware is in the single digits right now," Hutzell says. But the Secret Service's investigation remains open, he adds.
So far, the compromised software, provided by a reseller in Louisville, has only been linked to local merchants. But any merchant using the software, unpatched, could be susceptible to attack, Meadors says.
"I'm sure there are merchants in other states using this same remote software, too," she says.
Tracing the Attack
Area card issuers tied fraudulent transactions back to a number of merchants that had one thing in common - the same POS-system remote-access software, Meadors says.
The attack, which is believed to have exposed hundreds of debit and credit accounts in Louisville, Ky., and surrounding areas, including Southern Indiana, has been linked to numerous overseas Internet protocol addresses, Hutzell says.
"We have imaged the POS devices and systems that were infected and have sent that to our headquarters in D.C. for future analysis," he adds. "Our experts there are reviewing that information now and will let us know if more is discovered."
"Merchants that were PCI [Payment Card Industry Data Security Standard] compliant only had the last four digits [of the debit and credit card numbers] in their systems, and that was all the malware could collect," he says. "But the merchants that were carrying the entire card numbers were exposed."
The Secret Service is not releasing the names of the affected merchants, nor is it yet naming the reseller who sold the vulnerable software to those merchants.
Hutzell also says investigators believe the compromised card numbers were sold in underground forums shortly after they were obtained. "Within five days of the breach, we started seeing fraudulent charges," he says.
So far, only signature-based MasterCard- and Visa-branded card transactions appear to have been breached, Meadors says. But fraudulent transactions are cropping up from all over the country; and within the last week, the number of fraudulent transactions from international markets has significantly increased, she says.
Retail Breaches Common
Malware attacks aimed at retailers are becoming increasingly common.
In March, the St. Louis-based Schnucks grocery store chain announced it was investigating a possible breach of debit and credit card data. The retailer in April said "malicious computer code" had captured details from some 2.4 million cards (see Schnucks: Millions of Cards Exposed).
In February, Bashas' Family of Stores confirmed a breach of its corporate network, which connects 130 locations operating under the Bashas' supermarkets, AJ's and Food City brands. The retailer said it had discovered a never-seen-before malware on its network, which allowed attackers to gain access to internal systems and capture sensitive payment information.
And in January, the Zaxby's restaurant chain notified federal authorities of a computer system and point-of-sale breach that had affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas. Zaxby's Franchising Inc. noted that malware and other suspicious files had been found on compromised computer systems at certain locations.