Stolen Credentials, Payment System Malware At Fault In Kmart, DQ Breaches

Payment terminal malware was central to the latest credit card breaches at Kmart and Dairy Queen, according to senior executives at both companies.

The memory-scraping malware was found on payment terminals at nearly 400 Dairy Queen ice cream franchise locations in 46 states, according to John Gainor, president and CEO of International Dairy Queen Inc., which has 4,500 U.S. locations. The breach also impacted an Orange Julius restaurant in West Virginia, he said in a statement. The exposed information included customers’ names, payment card numbers and expiration dates.

"The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations," Gainor said. "Based on our investigation, we are confident that this malware has been contained."

[Related: Retail Credit Card Breaches: Payment Industry Faces Longstanding Hurdles]

Sponsored post

The Minneapolis-based company said digital forensics investigators determined that the Dairy Queen payment terminals were infected with the Backoff malware, the custom memory-scraping Trojans designed to evade detection by standard antivirus software. Once infected, the malware activates every 10 to 15 seconds, taking a snapshot of system memory. It is then programmed to wait for stores to transmit data before encrypting and uploading the stolen information to a malicious server used by criminals as a drop-off point.

Kmart systems were compromised with a "new form of malware" beginning in September, exposing credit and debit card numbers through Oct. 9, said Kmart President Alasdair James in a statement to customers Friday.

"We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised," James said.

Both companies said no debit card PIN numbers, no email addresses and no Social Security numbers were exposed in the breaches. Both companies are offering customers free credit monitoring protection and James said additional security software is being deployed to protect Kmart's customer information.

The Backoff malware is responsible for breaches at UPS Store, Goodwill, Michaels Stores and other retailers. Another payment terminal malware family called BlackPOS is believed to have been used by the criminals behind the Target breach, which was acknowledged last December. Investigators reportedly identified stolen credentials used by a third-party heating and ventilation business to access Target's billing system and gain initial access to the retailer's back-end systems.

The U.S. Computer Emergency Response Team advises payment terminal installers and service providers that maintain payment systems to use strong passwords and assess federated identity implementations for potential weaknesses.

Some breached retailers, including Home Depot and Target, are rolling out more modern payment terminals that support chip and PIN payment terminals, designed to prevent card fraud at brick-and-mortar stores. The technology, however, would not have prevented the breaches, said Rick Doten, chief information security officer at Bethesda, Md.-based mobility solutions provider Digital Management. Only fully encrypted terminals and other security measures would have reduced the exposure, Doten told CRN.

"The industry seems to have gone a little too far to the detect and respond approach, and I think it will move back to protection again to address attacks before it results in a breach," Doten said.

Supermarket chain Albertsons also acknowledged a breach of its systems Sept. 29 in stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah. The company said its ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey and Jewel-Osco stores in Iowa, Illinois and Indiana also were impacted by the breach. Credit card data was also exposed at its Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island. The company said in August that some of its stores were breached in a separate incident.