Michaels: Following the Fraud TrailCard Issuers See Signs of Another High-Tech Attack
While details surrounding a suspected payments breach at Texas-based arts and crafts retailer Michaels remain unclear, executives at two U.S. card issuers say they believe Michaels was attacked by point-of-sale malware similar to what compromised Target Corp. and Neiman Marcus.
See Also: Autonomous Response: Threat Report
The malware involved has probably been infecting numerous merchants since as early as fall 2013, the issuers say. But malware experts have not definitely linked all of these attacks, and they say the Michaels breach, if confirmed, may not be connected to the same malware that targeted Target and Neiman Marcus.
On Jan. 25, Michaels issued a statement acknowledging concern about a possible card compromise after suspected fraudulent activity had been traced back to credit and debit cards used at Michaels.
"Based on the information the company has received, and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred," the company says.
No additional details have yet been released by Michaels.
But executives with two leading card issuers say traces of fraud cropping up on U.S. debit and credit cards point back to Michaels, and that this new activity is not likely linked to the point-of-sale device attack Michaels suffered in 2011.
That's because the 94,000 cards affected by the 2011 breach were reissued by most affected institutions because PINs were exposed, say both executives, who asked to remain anonymous.
Any fraudulent activity tied to Michaels that crops up now would have to be linked to a new compromise that is different than the POS-device-swap attack that led to the first breach, they add.
Back in May 2011, Michaels learned that POS and PIN-entry devices at 84 of its stores in 20 states had been swapped with devices manipulated to collect card numbers and PINs (see Michaels Breach: Fraudsters Sentenced).
A New Attack?
One of the card issuers, commenting on the latest suspected incident at Michaels, says: "This is new and not related to the POS replacement scheme from 2011. All of the fraud on these cards links back to usage at various Michaels and Aaron Brothers Framing locations from at least October 2013 through January 2014."
Aaron Brothers Framing is owned by Michaels and shares the same point-of-sale system.
This card issuers' institutions first detected the most recent wave of fraud the week of Jan. 20, the executive says. Details about the apparent compromise are still being determined, the executive adds.
The card issuer has traced fraud back as far as October, "but we have heard a few issuers looking back to at least a September timeframe," the executive says.
So far, leading card brands Visa, MasterCard, American Express and Discover have not yet issued alerts regarding a possible breach, the two issuers note.
Cards with fraudulent transactions tied to Michaels were, in many cases, previously used at Target, Michaels and Aaron Brothers, the executive with the other card issuer says.
"I anticipate we will see that 25 percent of Michaels cards are also on the Target compromise," the executive says.
That makes narrowing the point of compromise challenging.
The more cards compromised and the more retailers breached, the more likely issuers are to find cards that have been used at multiple locations that have been identified as victims of attacks, one executive with an issuer in the Midwest says.
"I have heard chatter that there will be more [retailer breaches revealed] in the coming weeks," the Midwest executive says. "With that info, do you roll the dice and not reissue [cards] at this time, hoping for that two-birds-with-one-stone effect, or do you reissue and hope the consumers do not go to the next compromised location," the executive says. "This is almost like a craps game."
Michaels' First Breach
Although the two executives with leading issuers say this most recent wave of suspected fraud is not related to Michaels' 2011 POS attack, it's difficult to know whether some information gained during that compromise was shared in some way to assist with this apparent second attack.
That same month, authorities in Oregon said they, too, were looking for four suspects who had been caught on camera using fraudulent cards skimmed during the Michaels POS attack (see Michaels Breach: 4 Suspects Sought). No arrests in that case were ever made, according to the Beaverton Police Department.
Scraping Malware: Likely Culprit
Experts disagree about whether the suspected Michaels breach could be connected to malware attacks waged against Target and Neiman Marcus. But card issuers say if Michaels was, in fact, breached, a POS malware attack of some sort is likely to blame (see Michaels: Linked to Target Breach?).
"RAM [random access memory] scraping malware has been around since the beginning of 2013 and has been involved with many attacks, including several grocery stores earlier this year," the executive with the first unnamed card issuer says.
Card issuers were first educated about the emergence of so-called RAM scraping malware during the summer 2013, that executive says. That's when attacks against grocery chains Schnuck Markets Inc. and Bashas' Family of Stores, as well as convenience-store chain MAPCO Express, were reported.
In those breaches, the malware to blame was credited with having the ability to sniff out card details.
Some malware experts, such as Andrew Komarov, CEO of cyberintelligence firm IntelCrawler, have suggested a malware strain known as BlackPOS, or a close variant, is likely to blame for most of those attacks (see 6 More Retailers Breached?).
"It's too bad some of these other events did not garner the same attention that Target has to highlight some of the risks and challenges everyone is facing," one of the card issuing executives notes.
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says POS malware attacks have been evolving since early 2013.
"Security colleagues I know have seen this malware since at least February 2013 at other retailers," she says. "It kept improving by the time it got to Target. It had many modules and there was evidence of a very organized and advanced group of multiple programmers and software developers."
In its most recent breach disclosure, Neiman Marcus notes that a related malware attack, separate from the one that ultimately compromised its network, "appears to have been clandestinely inserted earlier in 2013" (see Retail Breaches: Congress Wants Answers).
The strain that ultimately compromised its network was confirmed by forensics investigators to be a RAM scraping malware, Neiman Marcus says.
"The scraping malware was complex and its output encrypted," the company states. "The investigative firms worked to decrypt the output file by first reversing the malware to determine the encryption algorithm and then creating a script that employed the attacker's algorithm to the encrypted data in order to decrypt it. It was only after this decryption process was concluded that we were able to determine that payment card information had been captured."
Litan says it seems security software has not detected these most recent POS malware strains.
"Like a worm, it propagated through the retailer networks, attaching itself in memory to the POS software in each POS device," she says. "It may have gotten in through an update to the POS software."