A single point-of-sale malware campaign may have infected more than 1,000 U.S. businesses in just over a year, according to an advisory issued Friday by the Department of Homeland Security, though an overwhelming majority of the companies purportedly affected remained unnamed.
The point-of-sale (POS) malware, known as 'Backoff', was the subject of another report released by the Department of Homeland Security (DHS) less than a month ago, though at the time, the campaign was only linked to three unnamed breach investigations since it was discovered in October 2013. The new advisory said that seven POS system vendors confirmed that multiple clients have been affected by Backoff, with the U.S. Secret Service estimating that over 1,000 businesses may ultimately be infected based on the agency's ongoing investigations.
Despites those claims, Backoff's victims remain largely unknown. On August 19, New Orleans-based restaurant Mizado Cocina confirmed that an investigation by a third-party forensics firm -- spurred by customer reports of fraudulent card activity earlier in the summer -- had uncovered a Backoff infection in its environment. Speculation has also linked Backoff to the breaches at Target, Neiman Marcus and most recently UPS, though federal authorities have not revealed any information to corroborate those claims.
According to the July report, the attackers behind Backoff target employees with administrator or privileged access accounts via remote desktop applications such as Splashtop, LogMeIn and Microsoft's Remote Desktop. By brute forcing the login credentials for those users, the attackers are able to install the Backoff malware, which includes code that makes the malware resistant to cleanup attempts.
The malware family itself is fairly typical of POS-related attacks. Backoff includes keylogging functionality and a command-and-control infrastructure for exfiltrating data, as well as RAM scraping capabilities that were the subject of a January FBI advisory.
The latest advisory noted that antivirus software was unable to detect Backoff until this month, and encouraged businesses of all sizes to actively investigate POS systems for Backoff infections.
"DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised," said DHS in its advisory. "The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this POS malware."
Concerned about the security of your point-of-sale systems? Chester Wisniewski of Sophos details some of the threats point-of-sale environments are likely to face, and experts discuss general PoS security weaknesses.