News Stay informed about the latest enterprise technology news and product updates.

U.S. government warns of point-of-sale malware campaign

The U.S. government has divulged details on the 'Backoff' point-of-sale malware campaign, which purportedly targets remote access software for entry.

The U.S. Department of Homeland Security has issued a report linking a newly uncovered point-of-sale malware campaign to several recent data breach investigations, though the government agency has not clarified whether known breach victims like Target and Neiman Marcus were among those impacted.

The report, issued in conjunction with the U.S. Secret Service, the Financial Sector Information Sharing and Analysis Center (FS-ISAC) and other organizations, said that variants of the newly uncovered "Backoff" point-of-sale malware had been discovered as part of at least three separate investigations dating back to October 2013, approximately a month before Target was struck by one of the largest data breaches in retail history. The malware family was still active as of July 2014.

The Backoff malware is initially installed onto PoS devices via remote desktop applications in use by employees of potential targets. Then, attackers simply brute force the login credentials for applications such as Microsoft's Remote Desktop and Splashtop, which the report noted were often being used by employees with administrator or privileged access accounts.

Once the Backoff malware is installed, the attackers also inject malicious code into the explorer.exe process so that malware is able to function if the executable is stopped.

As for the functionality included in Backoff, Jerome Sagura, senior security researcher at Malwarebytes Labs, said that the malware's components aren't "overly sophisticated." Indeed, most Backoff variants feature typical keylogging functionality, according to the report, as well as a command-and-control infrastructure that exfiltrates stolen data and provides updates to the malware on infected devices. HTTP POST requests are used exclusively for the C&C communications, and exfiltrated data is encrypted with the RC4 algorithm.

The report also noted that the Backoff malware family is capable of "scraping memory from running processes on the victim machine and searching for track data," also known as RAM scraping, which was the subject of a U.S. Federal Bureau of Investigation advisory in January. At the time, the FBI warned retailers that such RAM scrapers had already been involved in around 20 cases similar to the Target breach, and that such attacks would likely continue to grow.

There are several potential mitigations that organizations could put in place to fend off this PoS malware campaign, according to the report. For instance, remote desktop access applications can be configured to lock out users after a specified number of failed login attempts, effectively preventing brute-forcing. The report also advocated the use of EMV-based chip and PIN technology for point-of-sale hardware, a measure that Target and other retailers in the U.S. are already rushing to implement.

A number of network security controls can also be utilized to defeat Backoff, the report noted, including reviewing firewall configurations to ensure that only allowed ports and IP addresses are communicating on the network.

"This is especially critical for outbound [e.g., egress] firewall rules, in which compromised entities allow ports to communicate to any IP address on the Internet," said the Department of Homeland Security report. "Hackers leverage this configuration to exfiltrate data to their IP addresses."

Josh Grunzweig, a malware research with Trustwave Spiderlabs, a contributor to the Department of Homeland Security report, said in a blog post that while none of Backoff's features should be consider "innovative," that doesn't mean it should be ignored.

"The author simply made use of pre-existing practices when writing this malware," said Grunzweig. "While this malware is not revolutionary, it should still be treated as a threat."

Next Steps

Need to know more about defending point-of-sale environments? Chester Wisniewski of Sophos details his research into point-of-sale security issues in this video interview, and resident threat expert Nick Lewis explains how enterprises can fend off RAM scraping malware like Backoff.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Malware doesn't have to be revolutionary to be a threat. The most successful malware takes advantage of the loopholes that no one else sees/thinks of and rides it out as long as possible. Most hackers don't want to reinvent the wheel, they are looking for the best way to score big and score fast.
Good points, sonatype. It's been noted before that companies may focus too much on the vulnerabilities that get a lot of press, and less on the basic security measures that could stop most attacks. The simplest answer/solution is often the most effective.