‘Backoff’ Malware Newest Entry into POS Scam Market

Earlier this morning, the United States Computer Emergency Readiness Team (US-CERT) announced the discovery of a new POS malware in conjunction with data gathered by Trustwave’s Spiderlabs.

The “Backoff” variant, as they’ve christened it, is capable of launching many of the same attacks that we saw ravage Target’s credit card processing facilities last year, along with a few extra goodies on the side that help with keeping the operation as stealth as possible, as well as added functionality that increases the rate at which the POS scanner can swipe and upload credit card data back to the central server.

By monitoring background processes on the too-commonly used base for many POS systems, Windows XP, connected cash machines are backdoored using many of the same techniques that criminal hacker rings have been relying on with the consumer set for years.

“Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.”

Once the RAM is locked into, it’s only a matter of time as the program monitors the network for any transactions that contain hash codes similar to those found in credit card encryption schemes.

The US-CERT has warned that as of their posting, many of the top AV providers who specialize in financial security have not updated their programs to a point where they are capable of detecting Backoff.

Until these problematic points of entry are patched, small businesses in particular should be especially careful with the amount of data they run through their cashiers until a more concrete solution is available.

“At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above.”

If the lessons learned from BlackPOS have anything to teach us, it’s that even if you have every scanner in your store secured to the teeth, there will always be a hole that exists where a chip-and-PIN system isn’t being utilized to the fullest.

European markets have largely avoided having their business finances hassled due to the widespread adoption of this technology, and until the practice reaches an American audience, there will be dozens of malware manufacturers waiting in the wings ready to pounce on the slightest mistake that any retail chain in the US might make.