Dairy Queen Dipped with Backoff Malware Breach

Dairy Queen, the Berkshire Hathaway-owned purveyor of ice cream treats and a fast-food chicken-fried steak sandwich known only as the Dude, has become the latest chain to have customer card data compromised by hackers.

The breach took place in August and September and affected about 600,000 credit and debit cards, and was carried out using the Backoff malware. Backoff is responsible for scraping memory from running processes on the victim machine and searching for credit card track data, which can be used to make counterfeit cards or give fraudsters what they need to use card data online. Variations of the malware have been seen as far back as October 2013.

In this case, the purloined information included customer names, and the numbers and expiration dates of their payment cards. So far, there’s no evidence that Social Security or personal identification numbers were taken.

Overall, the attack affected 394 of more than 4,500 DQ locations in the US, and one Orange Julius location—most of which are independently owned and operated franchises. And just like the Target debacle, the intruder used the account credentials of a third-party vendor to access computer systems at some of the locations. DQ has published a list of affected stores.

"Unfortunately, we're going to see this attack strategy used successfully time and time again," Armond Caglar, senior threat specialist at TSC Advantage, told Infosecurity. "Third-party vendors with network access are a prime point of entry for hackers to infiltrate larger targets. One would think that Target's example would have served as the only lesson needed to prompt other businesses to put better third-party security measures, such as segmentation, in place. But there are still too many companies that simply don't think they're a target or think they've got their bases covered."

Dairy Queen said in a statement that it has hired forensic specialists and is “confident” the malware is contained. It also said that it will provide identity-repair services for a year to customers of the locations that were affected.

“We are committed to working with and supporting our affected DQ and Orange Julius franchise owners to address this incident,” John Gainor, CEO of Dairy Queen, said in a statement.

The Department of Homeland Security said in an advisory in August that Backoff malware was responsible for point-of-sale hacks at more than 1,000 American businesses. Out of those, seven companies that use retail PoS systems each have had multiple clients affected by the malware. The New York Times reported that Backoff is behind two of the more high-profile victims, UPS and Supervalu.

US CERT also warned over the summer that Backoff had low to zero anti-virus detection rates, which meant that even fully updated anti-virus engines on fully patched computers could not identify the malware as malicious. Even now, companies are still in the position of having to actively search for Backoff on their systems, prompting the additional warning from the Feds.

What’s Hot on Infosecurity Magazine?