Backoff Malware Spread Might Have Been Contained With Basic Defenses

NEWS ANALYSIS: Malware that captured millions of credit card numbers from Target and infected hundreds of other companies could have been thwarted just by using good security practices.

POS Malware Hack

The U.S. Department of Homeland Security has issued an alert to businesses throughout the United States about a malware infection that invades point-of-sale (POS) systems and sends the credit card information of people to cyber-criminals.

The malware, which is being called Backoff by security researchers, operates by gaining access to POS systems through an administrator account, according to DHS.

Backoff is closely related to the malware that infected Target in 2013, according to Jerome Segura, senior security researcher at Malwarebytes. The Malwarebytes security software was already detecting Backoff before the DHS alert and identifying it as a Trojan, Segura said.

He credited DHS with providing the security industry with the signatures of the various iterations of the malware so that antivirus software could identify and blog the malware.

The U.S. Computer Emergency Response Team (US-CERT) provided technical details for identifying malware and specific instructions so that businesses with POS systems could prevent a similar malware attack. While the DHS report is highly technical and is aimed at security experts, the suggestions it makes for avoiding future attacks are really fairly straightforward.

The single overarching theme is that retailers are getting hit by malware because they aren't following even the most basic security practices. Simple things such as upgrading their POS software or the operating system on their computers would prevent most attacks.

Other basic steps, such as using strong passwords, would at least slow down the attacks. Likewise, simple segmentation of networks so that the POS systems aren't on the same network as the sales or accounting departments would make a big difference.

Segura said that most people in business didn't think of their POS machines as computers and didn't realize they could be infected by malware. In reality, he said, the POS systems were mostly Windows XP machines that had never been updated.

Making matters worse, many of the POS systems used remote access methods that were easy to subvert using a brute force process of simply hitting the remote access system with constant login attempts until something worked. The hackers would keep hitting client machines until they found one with privileged access that they could subvert.

"It's easier to piggy back on a trusted user," Segura said. "In a lot of cases, both the POS software and the OS are outdated. They may not have security software." In many cases, malware can penetrate a POS system because companies don't want to pay for updated versions of the software they use.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...