Point-of-sale malware is a problem that apparently isn’t going away any time soon.
No doubt spurred on by the massive data loss absorbed in the Target data breach and most recently Supervalu grocery chains, and UPS, which disclosed last week that 51 of its stores were victimized by credit card stealing malware, attackers are making short work of poorly secured PoS devices.
Backoff is the latest heavy in this arena, and since its public unveiling July 31, more than 1,000 businesses have been hit, prompting the U.S. Secret Service on Friday to issue an advisory warning businesses of the threat.
The Department of Homeland Security and the Secret Service warned businesses to be proactive in scanning devices and networks for point-of-sale malware, Backoff in particular.
“Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the ‘Backoff’ malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected,” the advisory said. “Reporting continues on additional compromised locations, involving private sector entities of all sizes.”
Law enforcement and government officials have been contacting businesses impacted by the malware, and urges others that believe they have been impacted as well to contact local Secret Service field offices.
Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes.
A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, one that’s using weak or default credentials that tumble in a brute-force attack.
Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. Backoff also opens a backdoor where stolen data is sent.
“The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,” the advisory from US-CERT says.
It didn’t take experts long to pin the blame for the Target breach on RAM scraping malware, which parses memory looking for formatted credit card numbers. The malware is injected into a running process and grabs the numbers from memory before they’re encrypted on the device.
Attacks on point-of-sale systems have been a major threat highlighted in the annual Verizon Data Breach Investigations Report (DBIR), generally because smaller retail organizations are not well resourced to address security properly. Larger organizations such as Target and Neiman Marcus, which are supposed to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), are another story. The standard requires certain safeguards for point-of-sale systems in addition to mandating how card data is encrypted in transit and storage.
Hackers scan the Internet looking for vulnerable versions of remote administration tools and brute force them hoping to find weak or default credentials in place. The Target breach put more than 100 million at risk for identity theft and financial loss, and it led to the departure of several executives, including then-CEO Gregg Steinhafel.
