A new breed of customized malware dubbed ‘Backoff’ has been discovered infecting the point-of-sale system in a series of recent attacks in the retail sector, warns the US Department of Homeland Security.
US Secret Service and the DHS in collaboration with Trustwave Spiderlabs, have issued a 10-page advisory jointly, alerting retailers about the payment-card-stealing virus Backoff, a RAM-scraper of the infamous Target breach kind, that has been reportedly observed in a minimum of 3 forensic investigations into the payment system breaches dating to October last year.
According to the advisory, attacker target the poorly protected instances of RDP, implant the Backoff malware on the PoS terminals after brute-forcing the credentials of generally an administrator account or privileged access accounts for remote desktop protocol channels, and then “subsequently exfiltrate consumer payment data via an encrypted POST request.” The malware variants is said to have “low to zero percent anti-virus detection rates,” indicating that Backoff and its variants could not be detected by even update anti-virus engines on patched computers.
The Backoff family of malware, once installed, is found to scrape card track data from the POS system’s memory, install keyloggers, maintain persistence by tapping into explorer.exe, install a supplementary backdoor for hackers to access the system, in case something goes wrong with the Backoff executable file.
US-CERT noted that the attackers are using publicly available tools for searching businesses using remote desktop applications. The advisory warns that both businesses and consumers are at risk because of the Backoff malware as the compromised PoS systems expose consumer data – names, email addresses, phones numbers mailing address and the credit card numbers, leading to risks of bank accounts compromise and fraudulent purchases.
Karl Sigler, the Threat Intelligence Manager at Trustwave noted that nearly 600 businesses in the retail industry have been infected by Backoff malware and its variants, just in the past month. He highlighted that weak passwords and lack of two-factor authentication to be the main reasons for criminals to get hold of credentials to remotely access and plant malware.
