Backoff PoS Malware Infections Soared In Q3

With the holiday shopping season approaching, Damballa’s Q3 2014 State of Infections Report reveals consumers or retailers are even more vulnerable to Backoff PoS (point-of-sale) malware, which increased 57 percent from August to September, and by 27 percent during the last month.


Photo: Dean Bertoncelj / Shutterstock

The findings from the security firm indicate that the malicious program targeting the retail computer systems responsible for debit card and credit card transactions has continued to spread, doubling the number of systems that were infected in two months, despite efforts to curb its reach.

The program, Backoff, enables cyber criminals to gather and steal consumers’ payment card data. The US Secret Service, which alongside the FBI investigates and prosecutes financial crimes, warned in August that the malware had infected at least 600 retailers.

The malware first came to our wider attention in July, when retailers were warned by the US Computer Emergency Readiness Team that cyber-criminals are casting a wide net with the malware. The number of companies breached by the malware has increased over 1,000 according to the US Secret Service.

Backoff does not spread automatically as a worm program or a virus does. However, cyber criminals are increasingly targeting criminals with phishing campaigns and large-scale specialized attacks. As attackers can modify the programs so the anti-virus installed on PoS systems fails to detect them, retailers need to come up with other defenses.

In Q3, Damballa said that it observed as many as 138,000 events on any one day in a single enterprise network.

“These events are unique pieces of evidence associated with potentially malicious activity,” the report said.

The news isn’t surprising, since this year saw several prominent data breaches attributed to POS malware, at Jimmy John’s, P.F. Chang’s, Goodwill, Dairy Queen and Home Depot.


Photo: Damballa

Damballa points out that Backoff is hidden and active in networks after bypassing network prevention controls. Companies were able to detect the malware because their networks were configured to provide visibility of POS traffic.

“Enterprises averaged 37 infected devices daily,” the report stated, adding that “the ability to automatically whittle down 138,000 events to 37 true positive infections shifts the focus from evidence-hunting and correlation to informed response.”

The report adds that in POS systems that are set up on local networks, traffic isn’t getting the same scrutiny as corporate network traffic. This gives attackers easy access and enables them to stay undetected for lengthy periods. The report warned that it is imperative to “reduce the time from when intrusions are detected to when they are contained.”

This can make a significant difference in the impact of a malware infection. The report also stated there was a 40 percent dip in daily infections among those companies that “proactively remediated their assets according to the risk each posed.” The infections had already bypassed prevention controls and were active in the network.

“With actionable intelligence, security teams can focus on infections that matter and get control of their workflow,” the report added.

Retailers, as a result, need to gear more resources towards combating malware and other threats. The best response is to adopt a mindset of ‘continuous response’.

“Assume you will be compromised and be ready to remediate,” the report concluded. With actionable intelligence, security teams can focus on infections that matter and get control of their workflow.”