SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus.
The Homeland Security Department, in a new report, warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google and Microsoft — that allows outside contractors and employees to tap into computer networks over an Internet connection.
When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.
The report, which Homeland Security produced with the Secret Service, the National Cybersecurity and Communications Integration Center, Trustwave SpiderLabs, an online security firm based in Chicago, and other industry partners, is expected to be released on Thursday. It provides insight into what retailers are up against as hackers find ways into computer networks without tripping security systems.
It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.
“As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust,’’ said Vincent Berq of FlowTraq, a network security firm.
Once inside the network, the hackers deploy malicious software called “Backoff’’ that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.
Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked, and lock accounts after repeated login requests.
The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication’’— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.