Jan. 24--The FBI is warning retailers to be on alert for more cyber-attacks involving malicious software used to steal customers' credit and debit card data as luxury retailer Neiman Marcus yesterday disclosed that more than 1 million customers' cards may have been compromised.
A Jan. 17 FBI report describes risks posed by "memory-parsing" malware that's infected companies' point-of-sale systems in about 20 hacking cases in the past year, Reuters reported yesterday.
"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," the FBI report said, according to Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors."
Neiman Marcus disclosed Jan. 10 that hackers may have stolen its customers' credit and debit card information. The company, which has Boston and Natick stores, hasn't yet informed the state how many Massachusetts customers were affected.
As of yesterday, Visa, MasterCard and Discover had notified the Dallas company that about 2,400 cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently, Neiman Marcus Group CEO Karen Katz disclosed in a letter on the company's website. "It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013, to October 30, 2013," she said.
Target Corp. said last month that the credit and debit card data of up to 40 million customers had been accessed by hackers in a malware attack, and this month said personal information of 70 million customers also was accessed.
Consumers can expect more merchants admitting breaches in the near future, because their Internet protocol addresses, logins and passwords are being sold on the black market, said Dan Clements, president of IntelCrawler, a cyber-intelligence firm.
"It has a level of sophistication where the Target (breach) would not have shocked you," he said. Criminals are advertising them for as little as $25, and throwing in malware already loaded on merchants' systems for $100, according to Clements.
"It's very, very low-risk and a high return," he said. "It's just simple economics."
Herald wire services contributed to this report.
Copyright 2014 - Boston Herald