Malware on sale underground
The FBI said in its report that one variant of the malicious POS software, known as Alina, included an option that allowed remote upgrades, making it tougher for corporate security teams to identify and eradicate it. The report said at least one type of malware has been offered for sale for as much as $6,000 in a "well-known" underground forum.
"The high dollar value gained from some of these compromises can encourage intruders to develop high sophistication methodologies, as well as incorporate mechanisms for the actors to remain undetected," the report said.
Asked to comment on the FBI warning, the National Retail Federation industry trade group said retailers are alert to cyberrisks.
(Read more: With new malware, you have to pay to get your files back)
"Retailers have been and remain vigilant in their efforts to provide the highest level of security for their data systems in order to protect against malicious and criminal acts," NRF Vice President Tom Litchford said in a statement.
"As the criminal investigation continues and more information becomes available, you can be sure that the retail industry will be responsive and engaged to ensure this particular cyberattack does not happen again."
One cybersecurity consultant who has reviewed the FBI report, said the findings were troubling.
"Everybody we work with in the retail space is scared to death because they don't have a lot of defenses to prepare against these types of attacks," said the consultant, who is advising several retailers in current investigations.
"This is not just based on anybody saying 'This is going to happen.' This is based on statistical data that the FBI is seeing," said the consultant, who was not authorized to publicly comment on the details of the report.
(Read more: More bitcoins, more problems: How hackers are targeting bitcoins)
Retailers need to move quickly to get better tools in their networks that can analyze traffic patterns on the fly and identify any unusual activity, said another expert in retail security, who has audited POS systems to find vulnerabilities that hackers can exploit.
The expert said it is more difficult for small-to-mid sized retailers to do this because they do not have as much money and expertise as major retailers.
The FBI report said the bulk of the POS malware cases that the agency has investigated involve small-to-mid sized local or regional businesses, whose estimated losses each range from tens of thousands of dollars to millions of dollars.
The United States Secret Service usually takes the lead in credit card breach investigations for the federal government, though the FBI sometimes opens its own cases or asked to assist. The Secret Service is leading the investigations into the breaches at Target and Neiman Marcus.
A spokesman for the Secret Service declined to comment on the FBI report to retailers.