In July, it was revealed that Goodwill Industries had suffered from a credit card data breach that affected the charitable retailer’s stores in at least 21 states. The Goodwill breach seemed by many to be just the latest case of criminals taking advantage of the weak underbelly of retailers—their point-of-sale systems. But now, as it turns out, the Goodwill breach was just part of a much larger attack on an outside managed service provider that affected at least two other companies. And many more may have been affected without their knowledge.

Security reporter Brian Krebs first broke the news on the Goodwill breach in July and traced the breach back to C&K Systems, a reseller of retail software systems from NCR, Retail Pro, and other retail software and systems providers. Goodwill had outsourced much of the operation of its retail systems, including its point-of-sale (POS) systems, to C&K through a managed service contract.

In a statement published on Monday, C&K Systems admitted that they had suffered a breach of point-of-sale systems tied to their “Hosted Managed Services Environment.” The company determined with the assistance of outside forensic investigators that the breach began sometime in early 2013. “The unauthorized access affected our Hosted Management Services Platform intermittently between February 10, 2013 and August 14, 2014.”

A C&K Systems spokesperson admitted that Goodwill and two other customers were affected by the breach; the names of those retailers have not been released. The company does not believe its other customers were affected.

That means that for over 18 months, attackers were able to harvest credit card data from at least three retailers at will, without the companies’ knowledge. There is no current estimate of how many credit cards were compromised in the breach. And it’s not certain that there will ever be a full accounting.

Where the money is

Smaller retailers have been frequent victims of relatively low-tech attacks that take advantage of weaknesses in their point of sale system security—often, as in the case of Subway franchises, using remote access software installed on the systems with default or poor passwords to take control of the PCs at the heart of the systems, installing malware to intercept credit card swipes as payments are made. But larger retailers are increasingly becoming targets as well, as criminal enterprises of a different sort step up their game.

These criminal organizations—including fraud rings based in Eastern Europe and Russia—have repeatedly demonstrated over the past two years that they are capable of the same sort of long game attacks often associated with national intelligence agencies. They have collected deep intelligence on their targets, discovered the weakest links in their enterprise security, and exploited those weaknesses to penetrate the networks of retailers and place malicious code on their payment handling systems and extract credit card information.

By taking infrequent sips from the retailers’ credit card transaction fire hose, they can pull data to create fraudulent credit cards or to sell to other criminal enterprises for months or years without detection by the target. The C&K breach only came to light because banks contacted Goodwill after tracking back a rash of fraudulent transactions—mostly at big-box retail stores and grocery stores. Those transaction are often used to purchase gift cards or merchandise that can easily be converted into cash.

The attack on C&K’s systems used a specialized variant of the infostealer.rawpos POS malware that went undetected by the company’s security software until September 5. The infostealer malware is a memory-scraper—it sits resident in memory and watches for credit card data to be written to memory when it is read off of a card reader into memory allocated for card processing.

Breaches at other major retailers during the same period followed a similar pattern. And the timeframe for the C&K breach overlaps that of attacks on Target, P.F. Chang’s, Home Depot, Neiman Marcus, and other major retailers over the past two years. However, the Home Depot and Target breaches have been connected to a different piece of malware, called BlackPOS. So in all likelihood, these data thefts are the result of multiple criminal organizations’ work, each building custom malware to infect point-of-sale systems and evade detection for the long haul.

Another POS

Because these attacks gather credit card data before it can be encrypted by the software in POS systems, they are able to defeat software that’s allegedly compliant with the Payment Card Industry (PCI) Security Standards Council’s specifications. But it’s the nature of credit cards themselves—particularly credit cards in the US—that makes the fraud possible in the first place.

The data pulled from POS systems essentially turns them into massively scalable credit card skimmers, capturing track data from the magnetic stripe on debit and credit cards that contains account data. For US-issued credit cards, the data on the magnetic stripe is broken into three tracks:

Track 1 contains all the data associated with the card, including the primary account number, the name of the holder, the expiration date, a card security code (typically, it’s not the same as the one printed on the card), and a longitudinal redundancy check value used to spot read errors.

Track 2 holds mostly the same data, minus the cardholder’s name

Track three, which is not commonly used, is formatted according to the ISO/IEC 4909 specification—it was designed to be writeable, to provide a way for prepaid cards and other payment cards to carry balance information. Most point-of-sale systems ignore the data.

Visa and MasterCard have been trying to push for a change to the credit card system that will give them greater protection from fraud—the EMV “chip and PIN” system commonly used in much of the rest of the world. These systems use an onboard smart chip to encrypt credit card data—the card is pushed into a slot that connects the chip to the card reader, rather than reading data from the magnetic stripe. The encryption, however, is not particularly strong, and not a guarantee that card numbers still won't be stolen.

Retailers have been slow to adopt EMV in the US, however, because of the expense of replacing POS systems. That’s due to change by October of 2015, when Visa and MasterCard plan to shift liability for fraudulent charges made on old-school “swiped” credit card readers to the retailers who use them—which should provide plenty of financial incentive for retailers to make the switch.