The number of businesses ensnared in a new malware attack revealed in a Department of Homeland Security report this week may run to six hundred, according to a cybersecurity firm that helped DHS prepare the report.

Hackers are using point-of-sale (PoS) malware to steal consumer payment data, including credit and debit card information, from businesses that use remote desktop applications, according to the DHS report out Thursday. The department is now investigating the breaches.

But cybersecurity company Trustwave says at least six hundred businesses across the country have had the malicious software, dubbed “Backoff,” installed on their networks since Oct. 2013, allowing hackers to steal data. The DHS declined to comment to TIME on the scope of the attack.

Many of the 600 are small independent brick-and-mortar shops, said Karl Sigler, threat intelligence manager at Trustwave, but large national chains have been caught up as well. A DHS official who spoke on the condition of anonymity said that large chains were specifically vulnerable when acquiring a smaller business that could have weaker security protections.

The hackers target businesses that use remote desktop applications, according to the DHS, of the same kind used by technical support to access a computer from an off-site location. Once they find businesses with basic I.T. security or weak passwords, they can gain the same remote access to systems that technical assistance might have and easily install the malware.

“Backoff” then scrapes memory from the victims’ machines, searches for track data and logs keystrokes to reap sensitive data such as credit card information. “Once the malware sees a credit card system in memory, or typed in, it grabs that credit card information, then encrypts it and ships it out to another system under criminals’ control,” Sigler explained.

The DHS first outlined how the hackers gained access to point-of-sale systems to install “Backoff” in its Thursday report. “Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications,” it said, citing Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEin Join.Me as commonly used remote desktop solutions.

Many more victims are likely to be discovered in the coming months, Sigler added. “A lot of smaller businesses were affected but there were very large chains that were affected as well. But they’re names anyone in the states would recognize,” Sigler said. “This is just the tip of the iceberg, but only time will tell how far this reaches.”

All the businesses that have so far been identified as targets of the breach are aware of the attack, Trustwave said.

The Secret Service is investigating the hackers behind the attacks on retailers and Sigler said the Department of Justice would likely prosecute the hackers responsible. The Department of Justice did not return requests for comment, while the Secret Service said it could not comment on how many businesses were affected.

The release of the report will likely spur anti-virus vendors to code defenses against existing variants of “Backoff,” the DHS said in its report. Businesses should create complex passwords for their remote desktop access in order to make their systems harder to break into.

Contact us at letters@time.com.