Cyber thieves see new credit card chip technology being adopted by U.S. retailers closing a lucrative window of opportunity to steal your data. So they want to move fast.
“We’ve actually seen a number of discussions, in some cybercrime communities, where they’re reacting to that and saying, ‘OK, we have a limited number of opportunities to continue these attacks and we need to take the maximum advantage,”‘ said John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners, which was acquired by FireEye Inc. in January.
Retailers were supposed to join banks and payment processors in switching to chip readers by Oct. 1 of last year or face liability for some fraudulent charges that occur in their stores. Yet most payment terminals can’t read the new technology and demand for devices and services surpasses supply.
Even with the chip technology coming into more widespread use, companies remain vulnerable to malware that lets hackers break into their networks, FireEye said in a report released Wednesday.
FireEye, which provides malware and network-threat protection systems, tracked a cybercrime group it calls “FIN6.” The group steals credit card numbers from the retail and hospitality industries and delivers the digits to an online “underground card shop.” The report found cases spanning from 2014 through this year.
Malware such as GRABNEW, which captures login credentials, can come as an e-mail attachment, FireEye said. FIN6 either sends that malware or pays others for the credentials.
Once FIN6 gets into a company’s network, it uses software vulnerabilities to move around and locate card numbers. One FIN6-linked case resulted in 20 million cards, mostly from the U.S., in the online shop, selling for about $21 each, Milpitas, California-based FireEye said.
FireEye said it couldn’t confirm where the group is located but said it parallels activity typically seen from cybercrime groups in Eastern Europe.
Data breaches in 2013 at retailers including Target Corp. and Michaels Cos. exposed credit and debit card data of millions of customers. Hackers installed malware in Target’s security and payments system designed to steal every credit card used at the company’s U.S. stores. Other major breaches in the past few years include hacks of Home Depot Inc., JPMorgan Chase & Co., auction site EBay Inc. and health insurer Anthem Inc.
Networks including Visa and MasterCard Inc. began calling for a migration to chips, which have been used in Europe since the 1990s, to head off counterfeit cards. The underlying technology — called EMV for founders Europay, MasterCard and Visa — generates new codes for each transaction. The codes on magnetic stripes are permanent and can be copied and stored by hackers for later use.