Over the last six months, Target, Neiman Marcus, and at least three other US retailers were the focus of attacks that resulted in millions of credit card details being stolen. Earlier this month the US government sent a 16-page document to retail companies, explaining how the hacks were orchestrated. Now the FBI has stepped in to warn similar corporations that they should be prepared to deal with similar attacks.
In a report sent to retail companies last week, the FBI said it had discovered around 20 cases of cybercrime against retailers in the last year. Many of the attacks reportedly used the same kind of malicious software as used against Target, known as "memory-parsing" or "RAM scraper" malware designed to infect point-of-sale systems such as cash registers. The software is able to take payment data from a customer's credit or debit card by capturing the normally encrypted information when it appears for a short period of time as plain text.
The Neiman Marcus security breach ran from July 16th to October 30th
The FBI believes similar attacks will become more common. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the report, seen by Reuters, says. It also expects the attacks to become more advanced as new software is developed. Reuters says one variant of this malware, called Alina, already allows its users to update its capabilities remotely.
A congressional hearing on data breaches is scheduled for February 4th. Target is set to offer testimony after details of 40 million credit cards were stolen during a malware attack that ran undetected for 19 days. This week, Neiman Marcus clarified the details of its own attack, first reported this month. The fashion retailer said about 1.1 million credit and debit cards were affected by the security breach, which reportedly ran from July 16th until October 30th last year. The company's CEO, Karen Katz — who apologized for the data breach and offered free credit monitoring to Neiman Marcus customers — wrote that around 2,400 cards used for purchases at Neiman Marcus have already been used fraudulently.