The U.S. Computer Emergency Readiness Team released an alert this week warning of a new form of retail malware, known as Backoff, that may have already been responsible for breaches at 600 companies.
US-CERT, working together with the Secret Service, first discovered the malware in October 2013 but it is still active and has at least three known variants. When it was first found, Backoff had an almost zero percent detection rate, leading to its incredibly high breach rate. Backoff roots out user information from point-of-sale systems and has four main capabilities: scraping memory from POS systems and searching for track data, command and control server communication that lets it speak to a larger botnet, keylogging and injecting a stub of malicious code into the system.
The communication between the malware and the command and control module ensures that any data stolen from the POS system is uploaded to the author of the malicious code. But possibly the most worrying part of Backoff is its ability to inject stubs of code, allowing the malware to persist even if the software was forcefully removed or the system it was infecting crashed.
When attempting to access a system, the malware will execute a brute-force attack where the hacker will repeatedly try different combinations of usernames and passwords until they find one that works. Using this technique, Backoff is able to strip POS systems of valuable customer data, including names, addresses and credit card information.
One of the best ways to prevent against an attack from viruses like Backoff is to have tight control over the remote desktop access on POS systems, as that is the primary way the malware gains entry. It is also important for all retailers that accept payment by credit cards to be compliant with the Payment Card Industry Data Security Standard. Security measures that should be taken to comply with PCI DSS include two factor authentication for remote access and implementation of a firewall to protect cardholder data. Utilizing endpoint threat detection and response also enables companies to have greater protection against POS attacks and other security risks.