Why Backoff Malware Is Such a Big Threat to Retailers

by Sean Michael Kerner

Although the U.S. government didn’t issue a public advisory about Backoff until July, it turns out the malware has been active since October 2013.

Initially, 600 businesses were thought to be at risk from Backoff, but that number has been revised upward to “at least” 1,000, according to US-CERT.

Trustwave’s Karl Sigler notes that Backoff works against any Microsoft Windows-based POS system.

In most cases, the initial breach into a retailer’s POS system is by way of some form of Remote Desktop Protocol (RDP) access.

Sigler explained that in some cases, when the Backoff malware lands on a system, it is installed to an Oracle Java directory with an executable name of javaw.exe. He added that most POS systems typically don’t need to have Java.

One of the core capabilities of Backoff is that it grabs customer credit card data taken from magnetic stripe card swipes.

Going a step beyond just card swipes, Backoff also has keylogging features. Sigler noted that even if a cashier manually enters a credit card number, that data will also be compromised.

An infected Backoff system can communicate stolen data back to a command and control host every 60 seconds.

Sigler suggests that retailers have a firewall in place that monitors for communications to rogue servers. The use of strong passwords and two-factor authentication is recommended as well. Reducing the attack surface by properly securing remote desktop access can also reduce the risk.