Just as millions of Americans are steeling themselves for the holiday shopping season, cybersecurity researchers are warning about a stealthy malware aimed at stealing credit card and debit card numbers from retailers.
Cybersecurity firm iSight Partners revealed research about the malware, dubbed ModPOS, which the company says is largely undetectable by current antivirus scans. The firm declined to name specific victims of the threat, but it said its investigation uncovered infections at “national retailers.”
The revelation comes as the retail industry is reeling from a wave of breaches uncovered since Target was hit during the 2013 holiday season.
“It’s the most sophisticated point-of-sale malware we’ve seen to date,” said Maria Noboa, an iSight senior threat analyst. Instead of being just one piece of software, it’s a complex framework of multiple modules and plug-ins. Those parts combine to collect a lot of detailed information about a company, including payment information and personal log-in credentials of executives, she said.
The company has been tracking the malware for two years, Noboa said. But the process has been difficult because it goes to great lengths to hide itself, relying on techniques such as encryption — a common digital security tool that scrambles data — to slip past investigators, she said.
“We didn’t really even know what we were looking at initially because it’s so complex,” she said.
In recent months, the company coordinated with the Retail Cyber Intelligence Sharing Center to warn the industry about the threats.
Information sharing has been significant for retailers fending off cyberthreats, said Tom Litchford, vice president of retail technology for the National Retail Federation — but so have efforts to limit the amount of consumer information that retailers’ systems can see.
“We have pretty sophisticated criminals out there — and as long as we have data they can monetize, they’re going to try to go after it,” he said.
One way that the companies try to limit their exposure is using more advanced forms of encryption to protect consumer data. With one method, known as point-to-point encryption, a consumer’s payment card data is unlocked only after it reaches the payment processor, he said.
A survey of NRF’s members found that 41% had such a system in place by the end of September, he said, and the group expects that figure to rise to 85% by the end of the year.
Security experts warn that without such protections, even new credit cards with a chip technology known as EMV could still be compromised by infected point-of-sale systems. That’s because even with the new technology — which was rolled out to improve security — stolen card data could still be used for fraud in situations where a card is not physically present, such as online purchases.
Noboa considers fully encrypted transactions an important part of fully protecting EMV payment systems, but she warned that consumers have no way to know whether a company is using the technology. The spying powers of ModPOS mean that customers may still be at risk if their data is handled by a business infected with the malware, because it is “able to do so many things,” she said.
Noboa said the company is going public about the malware to warn shoppers before the holiday season is in full force.
Target spokeswoman Molly Snyder said the company doesn’t typically discuss reports on specific malware types. But, she said, Target recognizes “that cyberthreats are continually evolving” and has “teams of experts that work around the clock to continually help protect the company and our guests.”
That’s a sentiment echoed by many within the industry.
“We’re in a heightened state of awareness,” said Brian Engle, executive director of Retail Cyber Intelligence Sharing Center. “The holiday season is key for retailers.”
Peterson writes for the Washington Post.