The data breach affecting 216 of Jimmy John's restaurant locations had, at its source, an increasingly common exploit: remote-access passwords.
The perpetrator used compromised terminal passwords to remotely plant malware designed to steal card data, Florida-based Signature Systems Inc., a manufacturer of POS terminals for the quick-service restaurant industry, told its clients this week.
Such password access is becoming an increasingly common attack method against smaller merchants, said Jacob A. Ansari, a Payment Card Industry data security forensic investigator and technical services expert for 403 Labs, the security and compliance division for Sikich LLP.
"For smaller merchants with no IT staff, we find time and again that poorly protected remote-access passwords with a shared credential among all end points is a very common entry for these attackers," Ansari said.
Often, an attack through remote access passwords unfolds when someone simply figures out the password or hears about it indirectly, Ansari said. "It is like rattling the lock until the latch falls off," he added. "It's not hard to imagine that some vaguely directed support temps or others would get a line on a password working."
After a hacker successfully attacks one POS terminal at one site, "they look to see where else it works, thinking maybe all of the franchisees are set up similarly," Ansari said.
In the case of Signature Systems, it is likely the attacker simply figured out who else the company did business with and then targeted those systems, Ansari added. In addition to the 216 Jimmy John's stores affected, Signature Systems said another 108 quick-service restaurants also suffered POS breaches through the malware.
Champaign, Ill.-based Jimmy John's notified its customers Sept. 24 of the data breach.
Signature Systems confirmed it was made aware of the potential breach in late July, but waited until mid-September for forensic investigations to provide accurate information about the breach before informing clients and consumers.
The time periods in which terminals were infected varied by location, but Signature estimates the earliest intrusions in which card data was at risk began June 16.
After discovering the malware, Signature said it was able to remove it from most of the systems by Aug. 5. But the company acknowledged that it was not able to completely remove the malware from all devices until mid-September. Criminals designed the malware to avoid the anti-virus programs Signature used.
Prior to its removal, the malware was capable of "capturing the cardholder's name, card number, expiration date, and verification code from the magnetic stripe of the card," Signature stated.
The malware affected various pizza and sandwich-shop locations throughout the country, but mostly on the east coast. Signature Systems did not respond to an inquiry for an update.
Prior to the Jimmy John's incident, P.F. Chang's restaurants revealed an intrusion through its restaurant payments system that affected 33 restaurants. The investigation into that breach continues.
Earlier in the month, Home Depot reported one of the largest retail breaches to date, citing 56 million payment cards potentially at risk. Investigators are reportedly probing any possible connection between the Target hackers and the Home Depot incident.
Hackers accessed Target's card data during the 2013 holiday shopping season by obtaining passwords for the company's heating and cooling systems, and moving into other systems not securely protected by firewalls. This method allowed attackers to place malware in Target's payments system.
Once in a network, hackers typically install malware called Dump Memory Grabber, VSkimmer or Dexter, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"A variance of Dump Memory Grabber was used in the Target breach," Conroy said. Hackers can purchase Dump Memory Grabber on the "underweb" for about $2,000, according to statistics Conroy compiled for Aite.
The hacker attacking Signature Systems likely used malware designed for "scraping" card data as the magnetic-stripe card is swiped through a reader, Ansari said.
"Sometimes the malware is a little more clever in terms of how it disguises itself, and it is certainly possible that it can be more sophisticated, but it most often is pretty basic stuff," Ansari added.
Because the hacks against retailers in the U.S. always target card data at the reader or while in transit, merchants will benefit from the U.S. move to EMV chip-based cards and point-to-point encryption starting at the terminal, Ansari said.
"Both security measures serve the same purposes in reducing the card-present data value and they complement each other nicely," Ansari added. "That's where the [security] juice is."