Recent Retail Breaches ConnectedFederal Investigator Says Same Malware Found in 5 Attacks
A malware attack that exploited a point-of-sale software vulnerability within systems used by a select group of Kentucky and Southern Indiana retailers has now been linked to attacks against grocery chain Schnuck Markets Inc. and four other merchants.
One federal investigator says all of the attacks have been traced to an overseas hacker, and cooperation with international law enforcement is expected to bring this case to a close soon (see Retail Breach Contained; Fraud Ongoing ).
Craig Hutzell, a spokesman for the Kentucky Electronic Crimes Task Force, which is part of the Secret Service, says the attacks that breached POS systems and networks at Schnucks, as well as retailers in Kentucky and Southern Indiana, share a number of characteristics. And with the help of the Federal Bureau of Investigation, the Secret Service has determined that the malware used in the attacks and the methods of entry all trace back to a single hacker using an overseas IP address, he says.
"It's the same [modus operandi], and the malware matches what we had here in our breach," Hutzell says.
The tethering of these attacks illustrates why it's so critical for banking institutions to regularly communicate with card brands about the fraud trends they detecting, says John Buzzard of FICO's Card Alert Service.
"Banks and credit unions really have to work in tandem with the card associations - the fraud departments for Visa and MasterCard, Discover and American Express," he says. "Some banks and credit unions may not want to take the time to do that. But this diverse reporting and link analysis really is important. It helps investigators connect the dots. Without a doubt, that information from banking institutions helped investigators in this case realize that all of these were connected."
Common Attack Patterns
Hutzell confirmed the connection between the Kentucky-Indiana attacks and Schnucks, but would not name the other four retailers, saying it was not clear if all of those incidents had been made public.
Recent breaches that followed similar attack patterns include the malware attacks against supermarket chain Bashas' Family of Stores and convenience store chain MAPCO Express, as well the cyber-attack against retail tool store chain Harbor Freight Tools, and a suspected breach at supermarket chain Raley's Family of Fine Stores.
Huskell would not confirm that those breaches were connected.
In all of these attacks, card numbers were targeted and compromised, card issuers have confirmed with Information Security Media Group. And although the type of malware used in the attacks has not been revealed publicly, issuers say they suspect most of these attacks likely resulted from a single or similar strain.
"All of these cards were compromised and sold in a forum," Hutzell says. "Within 72 hours of the breaches, cards were being used, so the fraud occurred very quickly."
So far, Hutzell says law enforcement authorities have arrested three end-line users - those who allegedly purchased the card numbers in underground forums. Hutzell did not provide the names of the three arrested, but he said they were apprehended by local police departments in Arizona and California. The alleged overseas hacker remains at large.
Impact on Issuers
Evidence of fraud linked to the Kentucky-Indiana breach as well as the still-under-investigation Raley's breach, continues to trickle in, issuers say.
Marjorie Meadors, assistant vice president and head of card fraud prevention for Louisville-based Republic Bank & Trust, says the attack against Kentucky and Southern Indiana retailers resulted in fraud losses that were five times greater than any other previous breach in the region.
"We received what would normally be a year's worth of fraud cases in four weeks," she says. "The fraud has stopped at the moment, but we know that there is still card information out there that may be used later."
Meadors says MasterCard and Visa released alerts about the merchants that had been affected, but neither she nor Hutzell would name which merchants that were listed in those alerts. She did say, however, that the local reseller who provided the remote-access software, which malware exploited, has not been identified in those alerts.
"Once again, the software company that caused it all has no repercussions," Meadors says. She says the alleged hacker behind the attack is based in Eastern Europe.
Another executive with a separate card issuer, who asked not to be named, says new alerts from the card brands, as well as fraudulent transactions tracked internally, suggest the Raley's breach dates back to February. Initially, the breach was thought to date back to mid-March.
"The reality is, for the issuer, ongoing unauthorized activity on accounts tied back to Raley's," the executive says. "We have examples of card accounts used once at Raley's with counterfeit fraud resulting later. The card information gathered continues to be used for fraud."
Raley's has yet to confirm an attack or breach, which this issuer finds worrisome. "With the merchant dismissing the concern, does this mean they haven't found a problem and the compromise will continue?"
Buzzard says retail malware attacks are plaguing banking institutions because it's challenging to trace to the source.
"It's been a long line of succession this year, and a predominant amount of the attacks have been [at] grocery stores," he says. "But one thing banks and credit unions need to be aware of is when we start to have inconclusive evidence, it may be challenging to find a common point of compromise. Sometimes it's a processor breach, which may not lead them to a specific retailer."