Backoff Malware

According to a security advisory alert issued by US-CERT, a part of the Department of Homeland Security, POS malware dubbed Backoff and its three primary variations were uncovered in a minimum of three separate information security investigations.

 

Backoff has resulted in major Point-Of-Sale (POS) cybersecurity breaches. The challenge of successful hacking is simplified because hackers are able to use readily available tech resources from any location. These resources are easily used to pinpoint business establishments that rely on remote desktop solutions to connect to a computer system. Two examples include Apple Remote Desktop and join.me by LogMeIn, among many others.

 

After using the resources to identify targets, the hackers resorted to using brute force to access the remote desktop login feature. After gaining access, they were able to deploy POS malware and hack into consumer payment data via privileged access. Data from infected computers can be scraped, and based on variables. A keylogger can also be used to gain password access.

 

Discovery Timeline

 

The timeline for this malware dates back to October of 2013. As of July 2014, Backoff is still a serious cybersecurity threat that needs to be quickly addressed [1].

 

Why Wasn't This Uncovered Earlier?

 

The unanswered question to date is why did it take so long to identify Backoff, and why wasn't it identified by retail establishments? Where is the corporate responsibility in all of this? And, most importantly, what does it take for senior management to step up to the plate and do what needs to be done?

 

Bad Karma All Around

 

When consumers or business partners feel betrayed due to personal data theft and financial loss, they frequently lash out. Lack of trust and feelings of betrayal can be deadly.

 

For whatever it's worth, this type of situation is an excellent way to generate negative media exposure. Let's not forget that angry consumers will also have a field day on social media.

 

While some of the risk mitigation recommendations are general in nature, such as file integrity monitoring, the following recommendations should also be implemented:

  • Follow recommend general risk assessment practices along with an approach to minimize the possibility of remote desktop access attacks.
  • Configure the account to eliminate unauthorized user login attempts to login and/or unauthorized attempts via any type of automated attacks.

 

For additional detailed CERT recommendations, visit https://www.us-cert.gov/sites/default/files/publications/BackoffPointOfS...

 

Proactive vs. Reactive Integrity Monitoring

 

When most people think of file integrity monitoring (one of the CERT recommendations for combating Backoff) tools like our CimTrak solution, they think of a program that alerts them to a change on their systems.  Once the alert occurs, then someone has to investigate (react).  But, what if you could simply prevent the change from occurring in the first place?  Many, if not most POS files should not change outside of a normal change window, so it makes perfect sense to lock these files down.  One unique, advanced feature of CimTrak is the ability to deny rights to a particular file or set of files.  

 

This completely prevents any changes, additions, or deletions to the monitored files, thus ensuring their complete integrity and making them impenetrable by hackers (even those who manage to secure admin privileges).  This feature is a game-changer when it comes to protecting critical POS systems which are repeatedly falling prey to attackers.

 

References: [1] https://www.us-cert.gov/ncas/alerts/TA14-212A

Topics

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".