The Washington PostDemocracy Dies in Darkness

Why retailers keep falling to point-of-sale malware attacks

Dairy Queen has said that its payment systems were breached by hackers and that customer names, credit and debit card numbers and expiration dates were recently exposed during the security breach. (Win McNamee/Getty Images)

More than 10 months after Target suffered a massive security attack, more major retail chains are getting caught up in the wave of breaches hitting the payment systems of U.S. businesses, sending ripples throughout the industry.

Last week, Sears said Kmart stores were compromised, and fast-food chain Dairy Queen confirmed that nearly 400 stores were breached.

The attacks on Dairy Queen's payment systems started in early August, according to a statement released by the company. Kmart believes its pay systems were infected in early September, according to their filing with the Securities and Exchange Commission. Both companies say the breaches have been stopped, and they're offering free credit monitoring to customers affected by the attack.

Still, with months of warning, how did these companies get caught in the data breach riptide?

One reason, security researchers say, is that although retailers such as KMart and Dairy Queen have tried to harden their defenses, cybercriminals are almost always one step ahead.

Like Target, in both of the most recent cases, payment systems were attacked. "According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems," the regulatory filings said. Dairy Queen's announcement was more specific, citing a point of sale (PoS) malware known as Backoff as the culprit in its breach.

Backoff works by remotely taking over a firm's administrator accounts, allowing cybercriminals to steal consumers' payment data from afar. The National Cybersecurity and Communications Integration Center, the Secret Service and third-party partners issued an advisory about the Backoff variant in late July.

Weeks later, on Aug. 22, the Department of Homeland Security warned that the Secret Service estimated that more than 1,000 U.S. businesses were affected by the malware --  and that many of them were likely "unaware" that they had been compromised.

"PoS malware has been around for at least a decade, and retailers have been continually targeted since that time," said Nicholas J. Percoco, vice president of strategic services at cybersecurity firm Rapid7. "The issue is that traditional antivirus does not typically detect variants of this malware since it only targets a fraction of their customer base." Even if malware is reported as being the "same" as in a previous attack, Percoco said, there are typically enough technical differences in each deployment that antiviruses miss it the next time.

But even though PoS malware isn't new, cybercriminals are investing more time and money into developing the malware targeting the retail industry, Percoco said. "The main reason for this is that there is a direct return on investment that can be seen in their efforts," he said. "When a major brand is targeted, the cyber criminals gain an advantage by investing in their malware development to ensure they are not detected by traditional controls."

And as brand-name companies struggle to secure their systems against P0S malware, it raises concerns that smaller retailers might be next. The malware deployed against major retailers may start to trickle down to the rest of the cybercrime economy, Percoco said.

"This often results in rather advanced tools," he said, "with a great deal of criminal investment behind them, being utilized to target smaller organizations."