Retailers Urged To Defend Against 'Backoff' Point-of-Sale Malware
By Christine Kern, contributing writer
US-CERT Updates Warning About “Backoff” POS Malware
US-CERT has updated its warning on the “Backoff” POS malware. The new release states, “Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven POS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.”
Backoff “represents a very real threat to the security of cardholder data in all organizations,” wrote the PCI Security Standards Council, an organization founded by MasterCard, Visa, American Express and other card companies.
According to the US-CERT warning, “Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop , Apple Remote Desktop , Chrome Remote Desktop , Splashtop 2 , and LogMeIn offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.”
The malware and most of its variants remained undetected by most antivirus security software until mid-August.
To combat the threat, the PCI Council recommended that companies check with their antivirus vendor to ensure that their product can detect Backoff. They should also run a scan immediately. The organization also advised to “review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations.”
In addition, retailers should refresh their passwords and change default ones, a long recommended security practice but one which still catches companies off guard.
Other recommendations to help safeguard against malware like Backoff include the recommendation that merchants use card processing devices that encrypt data immediately after it is captured.
Several types of malware found on point-of-sale devices are so-called memory “scrapers,” which capture the card data while it is held unencrypted in memory. The weakness is prevalent in retail POS devices on networks that pass PCI-DSS audits.