The Target data breach which has left tens of millions of payment cards compromised was carried out using off-the-shelf malware authored by a 17 year old Russian, according to security firm IntelCrawler.
Officials believe that the Target breach - which saw crooks steal the details of around 40 million customer cards and the personal information of 70 million - was just one of several attacks carried out over the holiday period.
Neiman Marcus Group says that it has also been hacked but a report authored by government agencies and security firm iSight Partners suggests that several other firms could have been hit.
The report has been sent out to retailers and banks warning them about what appears to be a concerted and sophisticated campaign and says that the malware used was partly written in Russian and that some of it had been on the black market since last spring.
IntelCrawler claims that this code is the BlackPOS malware, developed by a teenager going by the name of 'ree4' who has roots in St Petersburg. It has been widely sold on underground forums in Eastern Europe over the last few months and used in attacks in Australia, Canada and the US.