Incognito Hackers Filched Mobile Payment Processor for Almost Five Years

Compromised firm Charge Anywhere warned that some of the card data it sends and receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions.

And malware installed on its network might have accessed the unencrypted data starting from as far back as 2009.

"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the company said in a statement. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."

Charge Anywhere first learned of a potential problem when informed of fraudulent charges on cards that had been legitimately used at certain clients.  The attackers used malware that no antivirus program had seen before. 

Names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from Aug.17 through Sept. 24.

Malware frequently is able to scrape the computer memory of infected point-of-sale terminals. Payment card processors have also been known to be hacked. But the Charge Anywhere advisory is a reminder that the gateways that connect merchants' point-of-sale systems with card processors are also prime candidates for attack.