Backoff Retail Malware Pulls User Info From POS Systems

The U.S. Secret Service warns that newly discovered malware, called Backoff, could well have already affected 600 businesses.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

retail security

The U.S. government is warning of a newly discovered form of retail malware, known as Backoff, that is rooting out user information from point of sale (POS) systems.

The warning comes from the United States Computer Emergency Readiness Team (US-CERT) working together with the Secret Service, National Cybersecurity and Communications Integration Center (NCCIS) and the Financial Sector Information Sharing and Analysis Center (FS-ISAC). The malware was first analyzed by security vendor Trustwave working under contract with the Secret Service.

According to a US-CERT technical alert, the Backoff malware first appeared in October 2013 and is still active with at least three primary variants. The Backoff malware is able to log keystrokes, scrape device memory for credit card data and can communicate with other nodes in a larger botnet. Retail malware risks have become increasingly prominent in the past year, with multiple breaches reported.

Backoff is a malware and a botnet risk, said Karl Sigler, threat intelligence manager at Trustwave. "It's malware that is organized into a botnet, using a central command and control [C2] server," Sigler told eWEEK. "The C2 system provides central management of all infected POS systems as well as a means to upgrade the malware to new versions."

While Backoff is only now being publicly disclosed, it has already had a large impact. Sigler noted that Trustwave is currently working on four post-breach forensics investigations that involve the Backoff malware. Across all four, nearly 600 businesses have been infected, and he expects more to come in.

Backoff doesn't infect POS machines by way of a typical phishing exploit in which an attacker tricks a user to click on a malicious link. So there's no need to use phishing-type techniques or exploit kits to infect a system with Backoff, Sigler said.

"The criminals brute-forced the credentials of POS vendors' remote administration software in order to install the malware," Sigler explained. "Since people typically don't check email or browse the Web from a POS system, those attack vectors [phishing] are useless in this case."

In a brute-force attack, the hacker repeatedly tries username and password combinations until they gain access. According to US-CERT, as of July 31, antivirus technologies were not detecting Backoff, though that is now likely to change, thanks to the advisory.

One of the primary mitigations to limit the risk of Backdoor is by controlling and restricting remote desktop access on the POS system. Remote desktop is the method by which Backoff attackers are able to remotely gain access to systems.

Going a step further, all retailers that accept payments should be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Sigler noted that PCI DSS addresses specific controls that could have mitigated or prevented a Backoff infection.

Section 8.3 of the PCI DSS standard states that two-factor authentication should be used for remote access, Sigler said. Two-factor authentication requires a second password (or factor) before a user is able to log in.

"Implementation of two-factor authentication could have prevented the brute-force attack that allowed the initial infection," Sigler said.

Another key requirement of PCI DSS is that businesses have a firewall in place that protects cardholder data.

"Proper access controls firewall rules could have prevented the exfiltration of card data even if infected with Backoff," Sigler said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.