Cybersecurity experts are on the hunt for a sophisticated payment theft scheme unlike any that has been used before.
The scheme targets point-of-sale systems but relies on malware that goes deep into the machine, to the “kernel level,” where antivirus software often does not look, according to iSight Partners, a cyberthreat intelligence company in Dallas.
The criminals have also gone to great lengths to encrypt their tools, so that even when their activity is picked up, it is unclear whether it is malicious.
“Not only would you not know what you’re looking for, but you wouldn’t know what you are looking at,” said John Miller, the head of cybercrime analysis at iSight.
Retailers and hospitality companies as well as credit card companies and payment processors are determined to eradicate the malware before Black Friday and avoid a significant holiday season hack, like the one that hit Target two years ago.
Much has happened in the two years since Target was hit. For one, the rules have changed. Visa, MasterCard, American Express and other major card networks have shifted the burden for fraudulent charges onto the retailers. From now on, merchants that have yet to update their payment systems from traditional swiping technology to a newer chip-card technology widely deployed in Europe and Canada will bear the financial burden for any fraudulent charges.
For another, attackers have been pouring more money and effort into their tools, making their methods nearly impossible to detect, according to new research published early Tuesday by iSight.
For the past year, iSight has tracked this cybercrime attack, originating in Eastern Europe. They say is more sophisticated than anything they have seen in their eight years of operation.
The hackers were careful to tailor their attack tool to each victim, making it difficult for investigators to work backwards from one attack to find other infected victims.
“This is right up there in the top tier in terms of its sophistication and obfuscation,” Mr. Miller.
In September, Mr. Miller’s team had a breakthrough. They were able to get their hands on a new sample of the malware and spent the better part of three and a half weeks cracking the encryption on it. By comparison, they were able to reverse engineer other kinds of point-of-sale targeting malware in less than 20 minutes.
What they found was an entire suite of tools, not just for scraping data off in-store cash registers, but for moving through a victim’s network and capturing other data that might be valuable. In the past, similar point-of-sale attack tools might have two or three functions. What iSight’s team found could perform up to 600 functions.
“The level of complexity of coding is two orders of magnitude greater than what we would see with a lot of malware,” said Mr. Miller.
For the past six weeks, Mr. Miller’s team at iSight has been briefing as many of its clients in the retail, hospitality, credit card and payment processing industries as possible.
iSight sent its clients a list of indicators that suggest their systems may have been compromised and clients across the retail and payment industries have been digging through their systems for the greater part of six weeks.
“The way this has been developed is sophisticated enough that we believe that the infections we have confirmed are only a small subset of what the attackers have accomplished,” Mr. Miller said. “We’re confident there are infections out there that no one is aware of at all.”
The best prepared are those who already switched to the new E.M.V. technology — which stands for Europay-MasterCard-Visa, the technology’s first backers — which makes it much more difficult for criminals to use any stolen payment data for fraudulent transactions.