Backoff Malware Identified as Culprit in Dairy Queen Breach

Close to 400 Dairy Queen locations were breached this summer and the company has pinned the blame on hackers using the Backoff point-of-sale malware.

Backoff apparently has a sweet tooth.

International Dairy Queen on Thursday confirmed that 395 of its Dairy Queen locations nationwide were breached by hackers using the dangerous point-of-sale malware. One Orange Julius location was also involved in the breach.

The hackers were able to access payment card numbers, expiration dates and customer names, the company said in a statement.

“The company has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of this malware infection,” the statement said.

Yesterday’s disclosure confirms reports from this summer that Dairy Queen had suffered a breach; reportedly, the Secret Service knocked on Dairy Queen’s door informing the company that the card-stealing malware was lurking on its network, according to security website Krebs on Security.

While nowhere on the scale of the Home Depot breach, it’s long been suspected that hackers had used the same malware to infiltrate point-of-sale systems at the home building supply retailer. Home Depot, in early September, confirmed it was breached and that 56 million customer payment card records had been accessed and were at risk.

Backoff is a Windows Trojan that is configured to capture credit card data from memory before it is encrypted at the point-of-sale terminal and shipped to a payment processor. The U.S. Secret Service issued an advisory earlier this summer that more than 1,000 businesses had been compromised by Backoff and that retailers should take a closer look at point-of-sale security.

Security company Invincea published an analysis of the malware during the rush of the Home Depot breach and characterized it as not particularly sophisticated malware that should have been caught by anitivirus and intrusion detection systems. The fact that it is eluding detection indicates that retailers are not running antivirus on servers that manage point of sale devices, or those servers are not being updated regularly.

Point-of-sale systems have been a juicy target for hackers; the annual Verizon Data Breach Investigation Report repeatedly has warned small businesses to be vigilant about these types of attacks, and experts have warned about malware families such as Backoff and others that are essentially RAM scrapers, accessing sensitive data in memory.

In late August, researchers at Kaspersky Lab released data from two Backoff malware command and control servers that were sinkholed. During a two-day period, close to 100 infected systems were connecting to the sinkhole.

“Our sinkhole covers less than 5  percent of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year,” Kaspersky Lab researchers wrote in the report. “Yet, we’ve seen more than 85 victims connecting to our sinkhole.”

Meanwhile, the Dairy Queen breach, which the company said has been contained, affected fewer than 10 percent of the organization’s 4,500 locations in the U.S.

“The time periods during which the Backoff malware was present on the relevant systems vary by location,” Dairy Queen said. A list of affected locations is here.

Suggested articles