At least 1,000 major corporations and small and medium businesses are affected by the malware that infiltrated Target's more than 1,800 stores last year and compromised millions of private customer information, including names, credit cards, mailing addresses and e-mail addresses.
The malware, called Backoff after security experts at the United States Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security (DHS) in cooperation with the Secret Service found the word in its code, has already affected other big businesses such as Supervalu and the United Parcel Service (UPS), while seven other unnamed businesses have already reported to the authorities that they have found the malware in their systems. Security officials believe around a thousand other businesses that carry in-store cash register systems could have the malware infiltrating their systems without businesses knowing about it.
Backoff, which allowed hackers to steal more than 40 million credit card information and 70 million personal data from Target's database, works when criminals look for remote access opportunities to corporate access systems, such as vendors or telecommuting employees given remote access, then using a brute-force tactic to create multiple password combinations until the right password is found. From there, the attackers crawl the corporate network until they chance upon the cash register system, into which they embed the malware that pilfers off customer data from the cash registers.
The DHS warns that unless businesses actively search for the malware, they may fail to identify it. Prior to DHS warnings, the malware was unidentifiable by most antivirus programs. However, antivirus vendors have updated their systems since then.
"DHS strongly recommends actively contacting your IT team, antivirus vendor, managed services provider and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised," writes (pdf) the government in its latest security alert.
Backoff is not a unique attack in itself, but its pervasiveness has prompted security officials to raise the alarm. An issue that has become of particular interest is the use of credit card with magnetic stripes, an antiquated technology from the 1960s still used in American credit cards, that allows information thieves to easily get hold of the card owner's data.
"The weakness is in the magnetic stripe," says security analyst Avivah Litan of Gartner Research. "I can buy a mag stripe reader on eBay and easily read all the data from your credit card."
Target, which has been struggling to make a comeback after it announced the major breach in its systems last December, is currently in the process of overhauling its in-store cash register systems to accommodate EMV, short for Europay-MasterCard-Visa, a chip-based card standard already in place in Europe that makes pilfering data far more difficult than with a magnetic stripe.