More than 1,000 U.S. businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores.
The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from U.S. consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.
On July 31, Homeland Security along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry warned companies to check their in-store cash register systems for malware, which security experts dubbed “Backoff” after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by anti-virus products.
Since then, seven companies that sell and manage in-store cash register systems confirmed to government officials that they each have had multiple clients affected. Some, like UPS and Supervalu, have stepped forward, but the vast majority have not.
Altogether, the Secret Service estimates that more than 1,000 U.S. businesses have been affected.
According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities – a vendor with remote access to a company’s systems or employees with the ability to work remotely – and then deploying computers to high-speed guess usernames and passwords until they’ve hit the right combination.
The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals are scraping payment card data off the cash register systems and sending it back, through various hop points, to their servers abroad.
Millions of American consumers’ payment card details are being sold on the black market, many of them from U.S. companies that do not know their systems have been breached.
Unless companies search for Backoff on their systems, it can be difficult to identify. The agency recommends companies contact their service providers, anti-virus vendors and cash register system vendor to assess whether they’ve been compromised, or are vulnerable to attack.