1000 (unnamed) Retailers Affected By Backoff Point Of Sale Malware

A variant of the so-called Backoff malware was resposible for the much-publicized Target breach, as well as those at SuperValu and Michael’s.

Just before UPS released that their retail division had been the victim of Point of Sale, or PoS, malware, the Department of Homeland Security and Secret Service announced that as many as 1000 retailers are also infected.

According to the New York Times:

“The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it”

It seems that the most common avenue of infection has been through remote access protocols, such as Microsoft’s Remote Desktop (RDP) and LogMeIn. It’s not uncommon for these tools to be utilized by PoS vendors to access the systems in their customers’ environments.

This malware—recent variants of which also include keylogging functionality—scrapes unencrypted payment card data from the volatile memory of PoS systems. It then exfiltrates that data to remote command and control or “C&C” networks which also serve to continually patch the malware to make it more difficult to detect and remove.

Chester Wisniewski, Senior Security Advisor with Dunbar Cyber’s partner, Sophos, has this advice:

“Application control and network monitoring can help detect the presence of connections to these systems…Careful monitoring should be able to detect or prevent unexpected or unauthorized remote connection attempts.”

(For more great analysis by Chester, check out this and this.)

The United States Computer Emergency Readiness Team, US-CERT, has updated its alert issued July 31, with some ways for businesses to protect themselves.

The basic gist:

  • Segregate your PoS network…Don’t let your back office network touch the PoS, and vice versa.
  • Utilize application control mechanisms on your PoS devices…you need to make it as difficult as possible to install anything on those machines, and you need to know when someone tries.
  • Real-time monitoring…you need to know what’s going on, so you can stop the bleeding as soon as something bad happens. Target is an easy…well, target…to pick on. We know that alerts were ignored that could have significantly lessened the damage done.
  • Have written remote access policies, and ENFORCE them…use your firewalls and network controls to limit who can RDP, when, and from where. Use non-standard ports for remote access. Require two-factor authentication.
  • Don’t count on your PoS vendor to protect you…Review your business agreements, and insist that the proper protections are in place, including malware and intrusion detection.

For the full report from DHS and the Secret Service, click on the image below.


If you are concerned that your network may be succeptible to PoS malware, or if you have any other security concerns, as always, please do not hesitate to contact Dunbar Cybersecurity for a free consultation.