Once inside the network, the hackers deploy malicious software called Backoff that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.
In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer's computerized heating and cooling software, the two people with knowledge of the inquiry said.
In an interview, Brad Maiorino, recently hired as Target's chief information security officer, said a top priority was what he called "attack surface reduction."
"You don't need military-grade defense capabilities to figure out that you have too many connections," Mr. Maiorino said. "You have to simplify and consolidate those as much as possible."