Hackers are targeting U.S. retailers with a new wave of malware intended to steal credit card and debit card information from payment terminals, according to a cybersecurity firm.
News of the attacks arrive just ahead of holiday shopping season, a particularly busy time of year for the retailers, health care providers, payment card processors, and hospitality companies that may be affected.
“This is by far most the most sophisticated point of sale malware we’ve seen to date,” said Maria Noboa, technical analyst at iSight Partners, whose team discovered the difficult-to-detect malware. “They have such great in-depth understanding of operational security measures, evading detection and the mitigation techniques used,” she said about the coders’ expertise.
The malware in question involves separate modules that run close to computers’ operating systems, making them harder to analyze. These “rootkit” modules—tools that enable the hackers to remain hidden and in control—also use advanced encryption that prevents traditional anti-virus and other monitoring software from detecting them.
“We have found three right now, and we are sure there are more out there,” said Stephen Ward, marketing director at iSight, about the modules. First, there’s a “keylogger,” that records and stores keyboard strokes. Second, there’s an “uploader-downloader” that connects compromised machines with the hackers’ command and control infrastructure, or remote servers that can send and receive data or instructions to and from infected devices. And third, the iSight researchers identified a “POS scraper” that steals payment card information from the memory of retailers’ computers.
Pieces of the malware seem to have been in in development as early as 2012, according to iSight. Attacks based on the malware began targeting U.S. retailers a year later, and the assaults are likely ongoing, Noboa said.
iSight named the malware “ModPOS” after its characteristic modules. The firm said it has found no discussion of it on online crime forums, which suggests that a single professional-level hacking group is behind the scam. Although firm evidence is lacking, some indicators suggest that the malware might be Eastern European in origin.
iSight said it began notifying clients of the threat in October, and other retailers more recently in order to give them time to track down and remove the malware from their machines before the Black Friday and Cyber Monday shopping sprees.
Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center, an industry group that shares cybersecurity information, told Fortune that members of the organization have been hunting for the malware on their systems since learning of it. “I don’t know if anyone has been effective in kicking it off their system, or what measures need to be taken to remove it,” she said. “It’s bigger in functionality, has more sophisticated coding, and it’s trickier about hiding,” compared to other recent [point of sale] malware attacks, she said.
Formed this year, the retail info-sharing group’s membership includes about 50 companies such as J. C. Penney
, and Walgreens
Nather noted that it was interesting to see that the attackers had not changed their IP addresses—the equivalent of street addresses on the Internet—since its earliest beginnings in 2012. “That’s very unusual for malware because, generally, as soon as someone figures out and shares IP address information, the attackers have to change them and move on,” she said. “They must have felt confident enough to use the same IP addresses so long as they didn’t believe they had been discovered all this time.”
Neither iSight nor the retail group revealed which companies are victims of breaches involving the malware. “We can’t get into specifics on the victim side other than to say that the potential is millions of credit cards,” Ward said.
The recent push by banks to implement security chip-enabled credit cards and by merchants to install chip-reading terminals in stores is “not a cure-all,”Noboa said. The beefed up protections should prevent hackers from creating counterfeit credit cards, but they are no defense against fraudulent “card not present” transactions, such as occur online.
A better preventative guard against the attack would be for retailers to thoroughly encrypt their customers’ banking data within their computer systems, Noboa said.
In its 2015 Global Security Report, the cybersecurity firm Trustwave, which was acquired by the Singaporean telecommunications firm Singtel for $810 million earlier this year, found that two out of five data breaches it examined involving nearly 600 investigations were related to point of sale system compromises.
At the end of 2013, Target
notoriously suffered a massive security breach that involved as many as 40 million payment cards. Home Depot last year was hit with a breach last year that compromised as many as 56 million payment cards.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.
For more on Thanksgiving shopping, watch the video below: