By Jim Finkle
BOSTON (Reuters) - A cybercrime firm says it has uncovered at least six ongoing attacks at U.S. merchants whose credit card processing systems are infected with the same type of malicious software used to steal data from Target Corp.
Andrew Komarov, chief executive of the cybersecurity firm IntelCrawler, told Reuters that his company has alerted law enforcement, Visa Inc and intelligence teams at several large banks about the findings. He said payment card data was stolen in the attacks, though he didn't know how much.
IntelCrawler's findings are the latest sign that the cyberattacks disclosed by Target Inc and upscale department store Neiman Marcus are part of a wider assault on U.S. retailer customer data security.
On Thursday, the U.S. government and the private security intelligence firm iSIGHT Partners warned merchants and financial services firms that the BlackPOS software used against No. 3 U.S. retailer Target had been used in a string of other breaches at retailers - but did not say how many or identify the victims.
Credit card companies, banks and retailers say that victims of any fraud resulting from the theft of their payment card data bear "zero liability" and will be credited for fraudulent purchases made on their accounts.
"Our rules say five days, but most consumers get (their money) back within 24 hours," Visa spokeswoman Rosetta Jones said.
Yet consumer advocates said that any debit card fraud could result in money being drained from a bank, mutual fund or other cash account at a time when those funds were really needed.
"Even if you are able to recover the money later, that's going to cause you an awful lot of pain and heartburn," said Jamie Court, president of Consumer Watchdog, a nonprofit advocacy group.
Data breaches can also be costly for the retailers and credit card firms affected, along with the companies that process the payments, people who have reviewed past attacks say.
Komarov, an expert on cybercrime who has helped law enforcement investigate previous attacks, told Reuters on Friday that retailers in California and New York were among those compromised by BlackPOS. Reuters was unable to confirm their names.
Komarov said he has not directly contacted those merchants. Security experts typically report cybercrimes through law enforcement rather than going directly to victims because the process can be time-consuming and victims are often suspicious when they first learn of attacks.
BlackPOS was developed by a hacker whose nickname is "Ree4" and who is now about 17 years old and living in St. Petersburg, Russia, according to Los Angeles-based IntelCrawler.
The teenager sold the malicious software to cybercriminals who then launched attacks on merchants, said Komarov, who has been monitoring Ree4's activities since March.
Komarov declined to specifically identify the sources of his intelligence, though he said he has been monitoring criminal forums where Ree4 sells his software and posted an excerpt of a chat with a client on the IntelCrawler website.
Officials with the Russian Interior Ministry could not be reached for comment when Reuters attempted to contact them after office hours on Friday.
The bulk of the attacks have occurred in the United States, but about 30 percent have occurred in other countries, including Australia and Canada, Komarov said.
Target last month disclosed the theft of some 40 million payment card numbers in a breach uncovered over the holiday shopping season, and later reported that 70 million customers' records had also been taken.
Neiman Marcus last week said that it too was victim of a cyberattack. Sources have told Reuters that at least three other well-known national retailers have been attacked.
John Watters, chief executive of iSIGHT Partners, which is helping the U.S. Secret Service with its investigation into the attacks, said that he expects the pace of assaults on merchants to pick up.
Copycats will pile on, using similar software, which can be purchased on underground forums, and similar techniques to launch attacks on retailers, he said. "They are saying: 'This is a great idea.'"
BlackPOS is a type of RAM scraper, or memory-parsing software, which enables cybercriminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text.
It is derived from code that has been floating around underground cybercrime forums since at least 2005 and may be related to malicious software used in attacks as early as 2003, said Shane Shook, an executive with cybersecurity firm Cylance Inc who has helped investigate major breaches at retailers.
While the technology has been around for many years, its use has increased as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
It succeeded in evading detection by anti-virus software when it infected the Windows-based point-of-sales terminals at retailers like Target, according to the report that the government privately distributed to merchants on Thursday, which iSIGHT Partners helped prepare.
Officials with the Secret Service could not immediately be reached for comment.
(Additional reporting by Richard Valdmanis, Lisa Baertlein, Mark Hosenball, David Henry and Megan Davis; Editing by Richard Valdmanis, Chizu Nomiyama and Jonathan Oatis)