Store opening: Retail malware

Technological vulnerability and valuable data make retailers the latest target for malware attacks, says Jenny Craig CIO Abe Lietz. Karen Epper Hoffman investigates.

Jenny Craig has built a name for itself over the past 30 years by helping its customers shed pounds. But one thing the weight management and nutrition company does not want to help its customers lose is their personal and financial information. 

To that end, the company, a unit of Nestle, is taking pains not to become the latest in the growing list of retail outfits that has fallen prey to malware attacks, says Abe Lietz, chief information officer and vice president of information systems for Jenny Craig. “To a certain extent, this has been going on for a good period of time,” says Lietz. “As retailers are modernizing their endpoints, often adding more commodity operating systems, they are becoming more approachable to attacks. We're definitely hearing about it more of late.”

The idea that attacks on retailers is on the rise is corroborated by research and media attention. According to the “2013 Trustwave Global Security Report,” released in February, the retail industry last year made up 45 percent of data breach investigations uncovered by the company – a 15 percent jump from the previous year – due to a growth in hacks of retail e-commerce and on physical points-of-sale. 

Just in recent months, more than a dozen notable merchant organizations have been publicly outed in the press for having their stores fall victim to such attacks. Brentwood, Tenn.-based convenience store chain Mapco Express announced that payments information at all 377 of its stores may have been compromised when it sustained a malware intrusion earlier this year. In March, Schnuck Markets began investigating a possible compromise of its systems due to “malicious computer code,” which had captured credit and debit card information from the St. Louis-based grocery chain's customers. 

A month earlier, the Chandler, Ariz.-based supermarket chain Bashas' announced that all 130 of its Arizona locations were potentially affected by malware that allowed attackers to access customer information. In January, Zaxby's, an Athens, Ga.-based restaurant franchise chain, went public with news that malware had breached its systems at more than 100 locations. Similarly, more than 150 stores in the Milford, Conn.-based Subway fast food chain fell prey to thousands of cases of information theft by malware between 2009 and 2011. Sixty-three stores in the New York-based Barnes & Noble Booksellers chain were affected by a breach of its systems, the retailer confirmed in October 2012. And card information was also stolen through skimming devices placed at Michaels Stores, the Irving, Texas-based craft chain, in which more than 94,000 debit and credit cards were affected. 

Federal regulators are beginning to crack down on companies that they believe are not doing enough to protect their information against such malfeasance. Last year, the Federal Trade Commission sued Wyndham Worldwide, the Parsippany-Troy Hills, N.J.-based holding company for Wyndham Hotels & Resorts and other lodging brands, for alleged lax computer security that it says allowed hundreds of thousands of payment records to be stolen by hackers. 

Nicholas Percoco (left), senior vice president and head of SpiderLabs at Trustwave, a Chicago-based security and compliance company, says he has been seeing this for quite a while. “We've been doing investigations of PCI [Payment Card Industry compliance] for more than a decade and we've seen the criminals evolve.” 

Increasingly of late, online miscreants are developing custom malware that's hard to detect, he says. Indeed, some of the most highly publicized and sophisticated pieces of malicious code that have emerged lately have been written expressly to attack retailers and their point-of-sale (POS) systems. The Dexter trojan, for example, infected hundreds of POS systems at retail stores, hotels and restaurants throughout last year. The malware exploited remote access controls to capture card information straight from the POS displays, according to reports. But Dexter is not alone: It's been followed by other similar malware families, including vSkimmer, BlackPOS and, most recently, Alina, according to Trustwave's SpiderLabs blog. 

“It's like the old adage: ‘Robbers rob banks because that's where the money is,'” says Dan Hubbard, chief technology officer for OpenDNS, a web security firm that protects enterprises from malware, botnets and phishing attacks. “Except with [POS] attacks, there's not even a stickup that needs to happen.”

The ideal target

Malicious hackers have become so good at targeting retailers' internal and POS systems that sometimes their malware can become entrenched for months, or even years – stealing financial, personal and corporate information during this time. Trustwave's Percoco says many criminals will spend upwards of a year “piloting” their attack on one location of a retail outlet before scaling it to all the company's locations. 

“They're perfecting their malware, perfecting their technique and then they explode into many locations,” he says. On average, it takes 210 days for a retailer to discover that their store has been compromised by malware, says Percoco, adding that only five percent ferret out malware in 10 days or less. Some onslaughts have survived for as long as three years. 

 “Criminals know what is of value,” says Al Pascual, senior industry analyst for security, risk and fraud at Javelin Research & Strategy. “They're targeting that data specifically…Social Security data, as well as credit card data.” Compared to financial institutions, which are more difficult to breach, the retail industry is likely seen as low-hanging fruit to data thieves.

Aside from the obvious – that they process and often store valuable financial information – what makes retailers such an appealing target for malware attack?

Jenny Craig's Lietz says attacks have increased because there are numerous vectors in which to enter. More and more POS systems use Windows and IP-enabled technology, which can be just as vulnerable to the same kinds of malware attacks as any other internet-connected PC. While malware aimed at retailers' systems is not as ‘pervasive' as the many varieties that target regular home users, Lietz says corporate and POS networks are not immune. 

Percoco says Trustwave has encountered merchants that are using antiquated PC versions of Windows XP Service Pack 1 plugged into the internet with little or no security in place to protect against malware. This is the case despite the fact that some recent attacks rely on employees opening websites or email from computers at retailer locations, which again can expose the retailer's network to malware. 

Etay Maor, senior product marketing manager for Trusteer, an endpoint security company with U.S. headquarters in Boston, says another route to exploiting Windows-based systems in a retail environment is going through the rear entrance, so to speak – since the software is often developed with a “backdoor” capability that can be accessed remotely. “At the end of the day, being a Windows-based system means it's vulnerable to a lot of things,” Maor says. And, as more retailers make use of off-the-shelf mobile technologies, like iPads, to mobilize their cashiers and other employees, these vulnerabilities are only likely to widen, says Hubbard.

Then there's Wi-Fi

Remote access to the retail network has also become an issue, especially in a time when most hotels and restaurants consider it table stakes to offer wireless access to their customers. “Adding things like Wi-Fi to stores, it was rarer to see that 10 years ago, there was not the expectation it would be there,” says Lietz. “And now it's a point of entry for attack.” Forty-seven percent of merchant and processor attacks that Trustwave investigated last year were linked to a remote access vulnerability. 

Wi-Fi presents a target for would-be criminals who set out to attack users on the unsecured guest wireless access point, and stumble onto the store's own network. As well, criminals use Wi-Fi hacking to infiltrate the retailer's system when information is sent (sometimes unencrypted) from the POS terminals to the server in the store, says Hubbard. He says near-field communications and mobile technologies both serve to expand the potential threat of exposure to malware as well. 

Industry observers point out that many merchant organizations rely too heavily on PCI DSS (Data Security Standard) compliance to ensure the protection of their card data – viewing the guidelines as the limit of what they need to do. “From our point of view, organizations fall into a couple of different camps,” Percoco says. “There are the [companies] that see PCI as the ceiling, and others that see it as the floor. Criminals tend to target the former group.”

Or, as Hubbard puts it: “Just because you're compliant, doesn't mean you're secure.”

Lietz agrees that while PCI adds “a certain level of rigor and standards…new threats are evolving and emerging all the time.” What PCI's data standards outline can only serve as a starting point, he says. But, not all information chiefs feel that way, he adds. “Many retailers find PCI to be kind of overwhelming,” Lietz says. “They kind of wipe their brow and say, ‘Whew, now we're done.'”

A lack of security focus and control over their systems (including third parties or franchisees) can also affect retailers' ability to protect their data assets, thus making them an appealing target for hackers, observers say. One of the main issues Maor encounters in his other role as security evangelist for Trusteer is that, for some retailers, security systems and protocols don't get adequate attention and financial resources. “Security is just not sexy enough,” he says. “It's just not as cool as marketing or the latest feature on the website. Too often, it's not the biggest concern.”

Employees can often check their personal email or surf the web on Windows-based systems at retail stores, or will often use passwords that are too simple. The “2013 Trustwave Global Security Report” found that out of the three million passwords it analyzed, 50 percent of business users are still utilizing passwords that are easily guessed – the most common being simply “Password1.”

Chris Strand, security compliance practice manager at Bit9, a Waltham, Mass.-based security services firm, says the security challenges for merchants are growing due to the low visibility and lack of control of their POS and internal systems. Since so many retail organizations use third parties to manage their technology, he says it's easy for them to overlook how the systems are running and where their data may be exposed. These companies need to answer their own security questions, Strand says. 

Another factor he references is the uneven, fast-and-slow nature experienced by many retail outlets, which can create periods where standard security technology is overlooked or postponed. For example, Strand says, during historically popular holiday shopping periods, merchandisers routinely delay all but the most mission-critical technology changes. “Every retailer on the face of the Earth has to go through a holiday freeze,” he says. “Take Black Friday [the day after Thanksgiving]. You are not applying any security patches that day…And you just opened up another threat window.”

Meanwhile, franchise arrangements can swing open the door to other potential oversights: Will the franchise operator use the same security measures as their parent? In Jenny Craig's case, there are more than 500 corporate-owned outlets and more than 100 franchise locations. Lietz, who says Jenny Craig has not experienced a breach during his tenure, says the company has security guidelines that it has its franchises follow to make sure their application suite works correctly. The best practices also enforce which clients applications to use. He says other issues, such as whether to offer wireless access to customers or not, is up to each franchisee, but adds that Jenny Craig's corporate office provides a standard configuration, which includes endpoint protection for POS devices and network equipment. 

Javelin's Pascual says that while solutions exist, a trend will continue as hackers seek out a ready opportunity. “It's going to get worse before it gets better,” he says. “This is definitely going to be the year of retailer malware.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.