Backoff POS Malware Affects Over 1000 Businesses
Malware attacks against Point of Sale (POS) terminals came into the collective consciousness with a big splash with the Target breach late last year, and the recent disclosure of data breaches at 51 UPS franchise stores and a major data breach at major chains owned (or recently owned) by SuperValue including SuperValue, Cub Foods, Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets. Last week the U.S. Secret Service warned that over 1000 US business were affected by Backoff, an up-and-coming piece of POS malware. Backoff's method of operation is not new, but is very well executed. Like other POS malware, it installs a memory scraper onto the terminal to capture credit card track data as well as a keystroke logger, establishes communications with a command and control server, and exfiltrates both payment card and keystroke data. The crime syndicates using Backoff have become highly skilled at compromising systems through remote access software in order to establish a "jump server" from which to find and infect POS terminals.
This is becoming an epidemic affecting the US retail industry. While there are no easy remedies, there are some common sense things that business can do to reduce their attack surface:
- Upgrade your POS terminals if they are still running Windows XP and keep them patched
- In addition to a good commercial-grade endpoint protection suite, lock down the terminal with a host based intrusion prevention system (IPS) which whitelists all software and permitted connections
- Segment your network to keep POS machines separate from machines with internet access. Use a firewall, VLAN isolation, and/or network access control to ensure that only the minimum set of data flows required for operations are permitted. The idea is to both make it hard to infect the terminals and to make it hard for malware that does get in to exfiltrate data.
- Monitor your network for anomalous behavior that can indicate the presence of malware on the network. There are good products in this space.
Finally, let us make a plea to plan the upgrade of your POS terminals to support EMV (chip and signature or chip and PIN) payment card standard sooner rather than later. While chip cards are not a panacea, they are a proven method of reducing POS fraud. There's a reason why this is primarily a US problem.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.