Backoff Malware Behind Thousands of PoS Hacks

Less than a month after US-CERT warned businesses about a fresh malware dubbed Backoff, associated with several point of sale (PoS) data breach investigations, it turns out that the bug is much more pervasive than originally thought.

The Department of Homeland Security said in an advisory that more than 1,000 American businesses had been affected. Out of those, seven companies that use retail PoS systems each have had multiple clients affected by the malware. The New York Times reported that Backoff is behind two of the most recent victims, UPS and Supervalu.

The malware variant responsible for these attacks at the time of the US CERT warning had low to zero anti-virus detection rates, which meant that even fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.  Even now, companies are still in the position of having to actively search for Backoff on their systems, prompting the additional warning from the Feds.

Backoff is responsible for scraping memory from running processes on the victim machine and searching for credit card track data, which can be used to make counterfeit cards or give fraudsters what they need to use card data online. Variations of the malware have been seen as far back as October 2013.

“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses to criminal elements,” US-CERT said. “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”

US-CERT found that Backoff in general has four capabilities: Scraping memory for track data; logging keystrokes; command & control (C2) communication; and injecting malicious stub into explorer.exe, which is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the bug.

“Businesses, whether in PoS or other industries, must not rely on antivirus and start taking a proactive approach in protecting their environment and (customer) data," said Joe Schumacher, senior security consultant at Neohapsis Labs, in an email. "A proactive approach in securing the business technology starts with network isolation or adding secure layers between untrusted and trusted environments. IT Operations should push the business to invest in secure, robust authentication methods that protect the accounts accessing the business network and data. Furthermore, some examples of processes that must be defined include, at minimum, vulnerability/patch management, secure configuration deployments, reviewing firewall rule sets and user provisioning."

He added that security should never stop being a task of focus by the business or IT operations. "Business must invest in a good defense and that includes people, process and technologies that are integrated into the business," he warned. "Unfortunately a lot of businesses do not take monitoring or incident response as serious as they should to reduce risk of danger.”

What’s Hot on Infosecurity Magazine?