Backoff malware targets retailers

There's a new cyber threat to retailers, Backoff malware that infiltrates retail computer systems through remote desktop applications.

The Department of Homeland Security has released a lengthy advisory, warning retailers and offering advice on how to best protect themselves.

Backoff is a family of PoS malware with three identified primary variants. These variations have been detected dating back to October 2013 and continue to operate as of July.

"Backoff is just another piece of point-of-sale (POS) malware," explained Jaime Blasco, labs director of security startup AlienVault. "In this case, the attackers bruteforced remote access tools, including Remote Desktop and LogMeIn, and when they gained access, they deployed the malware. Like others, Backoff scraps the memory to extract track data (i.e. credit card information). Once hackers obtain that data, they filter that information to a remote server where they can then sell it on the black market."

The malware typically consists of the following four capabilities: scraping memory for track data, logging keystrokes, command and control communication, and injecting malicious stub into explorer.exe.

Backoff is responsible for "scraping memory from running processes on the victim machine and searching for track data," the DHS said. "Keylogging functionality is also present in most recent variants of Backoff. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware."

The waters are further muddied by the fact that Backoff and its variants are apparently undetectable by antivirus software.

"The only realistic way to avoid this malware driven breach is to avoid the card and track data being present in live form in memory and storage in the retail processing systems and POS," said Mark Bower, VP, product management and solutions architecture, Voltage Security. "Leading merchants today are achieving success with this approach using the latest encryption technology."

When it comes to POS security, the DHS recommends implementing hardware-based point-to-point encryption. "It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities," they said. "SRED-approved devices can be found at the Payment Card Industry Security Standards."

Strong passwords and two-factor authentication are a must. That weak passwords continue to be an issue for any operation, let alone retailers, is unsettling, but research shows this to be the case.

"Backoff shows that businesses haven't learned the lesson yet. The lessons to learn from the latest retailer breaches are: Don't expose critical systems such as POS devices to the internet, especially if you are running Remote Desktop or similar," said Blasco. "If for some reason you have to do it, try to create access lists so that only certain IP addresses can access those devices and use strong passwords or even two-factor authentication. Lock all the data and monitor all of your network traffic. Deploy detection technology to be able to look for suspicious traffic."

For more:
-See the DHS notice and recommendations

Related stories:
Busted: Apple scammer arrested for stealing $300,000 in card scheme
Cash fraud increases 20%
RILA: Asset Protection Conference focuses on organized retail crime
Retail groups led by RILA announce cybersecurity partnership
Cybersecurity, data privacy top retailers' 2014 agenda