SecureState Blog

Read SecureState's award winning blog.

More than 1,000 American businesses are infected with backoff malware

The government has been issuing warnings for a month now, and finally organizations are beginning to listen.

On Friday, The Department of Homeland Security (DHS) published a releaseencouraging retailers using Point of Sale systems (PoS) to proactively check for malware infections. While always a good practice, recent releases are in response to multiple breaches that occurred last week and throughout 2014. So far, seven PoS providers/vendors have confirmed that clients of their in-store cash register systems are affected. Keep in mind, these are only the companies to have publicly come forward. It is estimated that over 1,000 American businesses have been affected; the number may be higher.

While not an issue to be taken lightly, this is not news to most. ‘Backoff Malware’ was first detected back in October 2013 and we are still finding it everywhere. The National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service, and third party partners issued an advisory on July 31, 2014, stating that for the past year, the Secret Service has responded to compromised networks throughout the U.S. The issue that remains is figuring out if your PoS has been compromised and how to defend against more issues.

If you believe that you have been affected by malware (or even if you are in denial that this could happen to your organization), it is strongly advised to bring in experts to take a look at your security. It is our experience that most companies already have the necessary tools in place to monitor their network and these tools have actively been telling whether or not they have been compromised.

Below are suggested methods to better protect your organization and your customers’ information:

• Multi-factor Authentication – Requires employees to use two authentication factors (e.g.: something you know, like a password; something you have, like a credit card; something you are, like a fingerprint). This will add an extra layer of security to your PoS and to help ensure only authorized users have access to credit card data.

• Monitoring Networks –Most organizations have already invested time and resources into software such as Intrusion Detection, but fail to utilize them to the fullest. It is likely that the network is trying to notify you about suspicious activity, you just need to listen and react.

• Defensive Readiness – Attacks are inevitable – prepare for them. It begins with education and awareness at every level of the organization. Once you have an understanding of how attackers perform breaches, you will be able to prepare for them. For example, Social Engineering (e.g., phishing campaigns) is a popular method of compromise. To prepare, look at how your company might be profiled and educate your employees on what to look out for and proper response procedures.

• Point-to-Point Encryption- P2PE encrypts sensitive data (e.g., credit card number and expiration date) at the point of entry and protects throughout the transaction, significantly reducing risk.

These methods will significantly reduce your risk and are generally just good security measures. Authors of malicious code continue to evolve their methods, making detection difficult. Backoff, for example, does not have a good signature, which means even current antivirus software will not be able to detect the malicious code. As a result, businesses may have a false sense of security, thinking since their AV software is current they aren’t vulnerable.

The malicious code can scrape sensitive data from memory, log key strokes and then send the information back to the hacker (e.g. exfiltrate credit card numbers via an encrypted POST request). The software can even install a backup program to reinstall itself, if deleted! The sophistication of these exploits continue to evolve, so your security program must also evolve. If your team doesn’t have the expertise or bandwidth to properly monitor emerging threats, determine appropriate solutions and implement – it might make sense to bring in security experts.