Malware Backoff attacks POS systems

Malware Backoff attacks POS systems

The U.S. Department of Homeland Security is warning merchants of a malware that attacks point-of-sale (POS) systems.

Called Backoff, it has affected more than 1,000 U.S. businesses, including the massive data theft at Target. The malware exploits administrator accounts remotely and pilfers consumers' credit card and debit card data, Homeland Security and the U.S. Secret Service warn.

This particular threat was first detected about a year ago -- in October 2013 -- but antivirus software did not recognize it specifically as Backoff until August 22, 2014.

"It's a new combo of features," said Craig Schmugar, research architect at computer security software company McAfee. "It's evolving and, unfortunately, effective."

In addition to capturing detailed data -- including a cardholder's name, card number, expiration date and the card's three-digit security code (CVV or CVC) -- Backoff can record all keystrokes typed on an infected computer and access a POS device's memory, a hacking technique known as RAM scraping.

Attackers have had success deploying Backoff through remote desktop applications such as Log Me In and Chrome Remote Desktop, Schmugar said. Retailers small and large have had their systems compromised, primarily in the United States and Canada, plus a few in the United Kingdom, Poland and Israel. Its reach can be broad, but there are ways to protect your business and your customers.

While it's not an especially advanced type of malware, Backoff has infected many POS systems by targeting those with weak security measures. That means protecting your system from Backoff can be as simple as taking the time to make a few adjustments and upgrades.

Here are a few basic strategies for keeping your company and your customers safe.

"Companies are ahead of the curve if they've deployed these protection systems," Schmugar said.

Review your system logs

Now is the time for merchants to survey equipment for POS malware infections, then review security controls. The Payment Card Industry Security Standards Council has urged merchants to inspect their system logs for atypical or unexplained activity, especially cases in which large data sets are transferred to unknown locations.

Schmugar says, "Take an assessment of the current state: What are the vulnerabilities? What are the risks of not making a change?"

And what if you do find something amiss in your system logs? First, disconnect the system from the network, if possible, he said. Then run standalone detection and removal tools, such as McAfee Stinger, which is free.  Afterward, make sure the security software is up to date and run a full system scan as well.

These should take care of the problem, but if not -- or if you'd rather be extra cautious -- consider hiring a consultant to do a security assessment to check for suspicious traffic in your local systems as well as your network.

Heads up: If you suspect your systems have been compromised by Backoff, notify your bank immediately.

Use 'whitelisting'

Often, terminals are connected and therefore more susceptible to security breaches. Why invite cyber criminals to the heart of your system when you can cut them off at the pass? If retail terminals require Internet access, limit it to only those sites that are necessary for daily functions. Known as "whitelisting," this is more effective than attempting to name and blacklist all sites that might be hazardous.

"All terminals don't need to go to the Internet," Schmugar said. "Rather than using a blacklisting approach, use whitelisting to get to websites that are approved. Instead of a setting of 'any except for ones I know to be malicious,' use'‘none except for ones I know to be approved.'"

Admittedly, whitelisting does take a bit of work to configure. "There are hoops you have to go through to make changes you want," Schmugar said. "Keeping the software up to date takes a few extra steps, but it's not the worst. Ultimately, it comes down to how often those systems are updated."

A McAfee product called Application Control is a centrally managed whitelisting solution that claims to "thwart advanced persistent threats -- without requiring signature updates or labor-intensive list management."

Symantec offers another option: Endpoint Protection is a solution that adds layers of security to POS systems. Its tools reduce the risk of attack by limiting the applications running on a POS device and controls which devices and applications are allowed to access your network.

Educate staff

Software solutions can do only so much to keep your customers' information safe; your people need to be on guard as well.

"There are various methods in which attackers can get a foothold via lower-hanging fruit," Schmugar said. So, don't give them the opportunity. Advising your staff -- and not just IT folks -- on safety measures can go a long way toward protecting your systems.

First, make sure terminal users know they could be targeted and understand that their actions have consequences. Many of the safe computing guidelines sound basic, but reminding your staff to follow them can make the difference between a secure system or a breached one.

"Be on the lookout for suspicious emails," Schmugar said. "If they get an email attachment they weren't expecting, talk to IT. Follow safe computing guidelines. Make sure Microsoft Update is running and that you're paying attention to warnings. Make sure antivirus software is up to date and follow prompts for updates. We kind of get immune to them and ignore them, but read these notifications."

Another basic tactic that goes overlooked surprisingly often: strong passwords. You've heard it before, but don't use dictionary words. A password is strongest when it uses a non-word combo of letters, numbers and special characters. Come up with an associated mental image or an acronym that you can remember easily. Each account should have a different password, and passwords should be changed regularly.

"In a merchant situation, you might be contacted by people you don't know," Schmugar said. "Look with a suspicious eye at the 'from' line. Does it have a familiar name with extra letters or numbers -- such as 'PayPal' plus other characters? These often originate from non-native English speakers, so carefully inspect them for broken English."

Schmugar says that merchants should have a mindset of "when, not if." Think about it this way, he says: "'When I get compromised, how far is the damage going to go? What can I do within the means that I have?'" Employees who feel ownership of their work are more likely to adopt safe computing practices quickly, so impart this mindset to them, as well.

Published: September 29,2023