Just as millions of Americans are steeling themselves for one of the biggest shopping weekends of the year, cybersecurity researchers are warning about a stealthy malware aimed at stealing credit card and debit card numbers from retailers.
Cybersecurity firm iSight Partners on Tuesday publicly disclosed research about the malware, dubbed ModPOS, which the company says is largely undetectable by current anti-virus scans. The firm declined to name specific victims of the threat, but said its investigation into the malware uncovered infections at "national retailers."
The revelation comes at a time when the retail industry is still reeling from a wave of breaches across the country that have been uncovered since Target was hit during the 2013 holiday season.
"It's the most sophisticated point-of-sale malware we've seen to date," said Maria Noboa, a senior threat analyst at iSight. Instead of being just one piece of software, it's actually a complex framework consisting of multiple modules and plugins. Those different pieces combine to collect a lot of detailed information about a target company, including everything from payment information directly about sales systems to the personal login credentials of executives, she said.
The company has been tracking the malware for two years, according to Noboa. But the process has been difficult because the malware goes to great lengths to hide itself, relying on techniques like encryption -- a common digital security tool that scrambles up data -- and file compression to slip past investigators, she said.
"We didn't really even know what we were looking at initially because it's so complex," she said.
The company released some initial findings to its clients in December last year, but didn't have a more complete understanding of how the malware system worked until this year, she said. It briefed its clients on the threat again this October and has since been quietly working with the retail industry to help prevent intrusions -- and investigate if they've already been infiltrated.
The company coordinated with the Retail Cyber Intelligence Sharing Center, or R-CISC, to help warn the industry about the threat. R-CISC was started in April of 2014 after breaches swept through the sector.
This particular malware was especially difficult to combat because of how well it camouflaged itself within systems, he said. "It required more advanced work than your typical automated methods," according to R-CISC executive director Brian Engle.
Information sharing like this has been key for retailers fending off digital threats, said Tom Litchford, vice president of retail technology for the the National Retail Federation -- but so have efforts to limit the amount of consumer information retailers systems can actually see.
"We have pretty sophisticated criminals out there -- and as long as we have data they can monetize, they're going to try to go after it," he said.
One way the companies have been trying to limit their exposure is using more advanced forms of encryption to protect consumer data. With one method, known as point-to-point encryption, payment card data is protected by the point-of-sale machine as soon as a consumer uses a card and is only unlocked once it reaches the payment processor, he said.
A survey of chief information officers of NRF's members found that 41 percent had such a system in place by the end of September, he said, and the group expects that figure to hit 85 percent by the end of the year.
Security experts warn that without such protections, even new credit cards with a chip technology known as EMV could still be compromised by infected point-of-sale systems. That's because even with the new technology -- which was rolled out to improve security -- stolen card data could still be used for payment card fraud in situations where a card is not physically present -- like online purchases.
Noboa considers fully-encrypted transactions a key part of fully protecting EMV payment systems, but warned that "there isn't a way for consumers to know if a company has implemented" the encryption correctly. And the wide-ranging digital spying powers of ModPOS mean that customers may still be at risk if their data is handled by a business affected by the malware because the hackers behind it "are able to do so many things," she said.
Noboa said the company is going public about the malware now to warn shoppers before the holiday season is in full force. The report may give some consumers flashbacks to when Target was hit with malware that stole information on tens of millions of consumers during the height of the 2013 holiday season.
Molly Snyder, a spokesperson for Target, said the company doesn't typically discuss reports on specific types of malware. However, she said, the company recognizes "that cyber threats are continually evolving" and has "teams of experts that work around the clock to continually help protect the company and our guests."
That's a sentiment echoed by many within the industry.
"We're in a heightened state of awareness," said R-CISC's Engle. "The holiday season is key for retailers."