More Than 1K Affected by Same Cyberattack That Hit Target

More than 1,000 American businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores.

The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.

On July 31, Homeland Security along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry warned companies to check their in-store cash register systems for malware, which security experts dubbed "Backoff" after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by anti-virus products.

A customer uses a credit card scanner at a Target store in Miami.
Getty Images
A customer uses a credit card scanner at a Target store in Miami.

Since then, seven companies that sell and manage in-store cash register systems confirmed to government officials that they each have had multiple clients affected. Some, like UPS and Supervalu, have stepped forward but the vast majority have not.

Watch: Cisco's cybersecurity snafu

Altogether, the Secret Service estimates that more than 1,000 American businesses have been affected.

According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company's systems or employees with the ability to work remotely — and then deploying computers to high-speed guess usernames and passwords until they've hit the right combination.

More from The New York Times:
Why We're Not Driving the Friendly Skies
Red Hook's Cutting-Edge Wireless Network
Why the Robots Might Not Take Our Jobs After All

The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals are scraping payment card data off the cash register systems and sending it back, through various hop points, to their servers abroad.

Millions of American consumers' payment card details are being sold on the black market, many of them from American companies that do not know their systems have been breached.

Unless companies search for Backoff on their systems, it can be difficult to identify. The Homeland Security report to be released later Friday recommends companies contact their service providers, antivirus vendors and cash register system vendor to assess whether they've been compromised, or are vulnerable to attack.

In a July 31 advisory, the Secret Service and Homeland Security recommended that companies limit the number of vendors with access to their internal network; require long, complex passwords that cannot easily be cracked by a computer, and lock employees and vendors out of their accounts after multiple login requests.

Read More Palo Alto Networks: Cramer's top cybersecurity stock

The agencies recommended that companies segregate crucial systems, like their cash registers, from corporate networks and install so-called two-factor authentication, which is a method that forces employees to enter a second, one-time password in addition to their usual credentials.

They also suggested that companies encrypt customer's data from the moment their cards are swiped in the store, log all network activity, and deploy security software that can alert technicians to unusual activity, like a cash register in a UPS Store in Tennessee communicating with a server in Russia.

—By Nicole Perlroth of The New York Times

Contact Cybersecurity


    Get the best of CNBC in your inbox

    › Learn More

Squawk Alley