Backoff malware widespread, PCI Council issues call to action

Backoff malware has affected more than 1,000 U.S. businesses, infecting POS systems from Target to Supervalu. The United States Secret Service and Department of Homeland Security has issued a warning that the Backoff POS malware may have infected more systems than previously believed.

In response, the PCI Council has issued an urgent call to action and is encouraging companies to consider a number of recommended actions.

Backoff is a family of PoS malware with three identified primary variants. These variations have been detected dating back to October 2013 and continue to operate as of August.

The government agencies warn that the malware may have infected more than 1,000 organizations and represents a very real threat to the security of cardholder data. This malware, released in 2013, infects electronic cash registers and similar POS systems, and was not recognized by antivirus software solutions until this August. It infects POS systems and has already resulted in large amounts of cardholder data being compromised and transmitted to criminal organizations.

Last fall, Target (NYSE:TGT) was the victim of an extended attack that compromised the credit and personal data of more than 70 million shoppers. In the following months, retailers including Michaels Stores and Sally Beauty reported data breaches. Most recently, Supervalu announced it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores, although there was no confirmation that any cardholder data was, in fact, stolen and no evidence the data was misused, according to the company.

The PCI Council recommends retailers make sure they have the most up to date versions of antivirus software to detect "Backoff" malware and run the solution immediately. They also suggest retailers review all system logs for strange or unexplained activity, especially large data files being sent to unknown locations.

Requiring all default and staff passwords on systems and applications to be updated and providing good guidance on choosing a secure password set to current standards are also recommended.

"Attacks of this kind underscore the critical importance of a multi-layered approach to payment card security that addresses people, process and technology," said the council in a statement. "PCI Standards provide layers of defense to ensure businesses can prevent, defend and detect attacks on their systems. A daily coordinated focus on maintaining these controls—making payment card security a business as usual practice—provides a strong defense against data compromise."

Regarding malware specifically, organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:

  • Proper firewall configuration – Requirement 1
  • Changing vendor defaults and passwords on devices and systems – Requirement 2
  • Regularly updating anti-virus protections – Requirement 5
  • Patching systems – Requirement 6
  • Limiting access and privileges to systems – Requirements 7, 9
  • Requiring 2-factor authentication and complex passwords – Requirement 8
  • Inspection of POS devices – Requirement 9
  • Monitoring systems to allow for quick detection – Requirements 10, 11
  • Implementing sound security policies for preventing intrusions that may allow malware to be injected – Requirement 12

Managing third party provider access remains a challenge for organizations, stated the Council, which also encourages retailers to reference recently released guidance developed by a Special Interest Group on managing risk and securing data when working with third parties to support PCI DSS and ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

For more:
-See this PCI Security Standards Council statement 
-See this New York Times story

Related stories:
Backoff malware targets retailers 
Supervalu reports data breach
Target and PF Chang's breaches 'the tip of the iceberg'
PF Chang's issues security update
Retailers still unprepared for security breaches