It was publically reported yesterday that the U.S. Department of Homeland Security(DHS) warned retailers about a type of malicious software attacking point-of-sales systems, dubbed “Backoff,” that is said to be undetectable by most types of anti-virus software.
“Backoff” is a family of point-of-sale malware first identified in October 2013 with capabilities that include scraping memory for track data, logging keystrokes and injecting malicious stub into explorer.exe files, reported DHS.
The warning also stated that attackers use publicly available tools to find businesses that use remote desktop applications (which offer the user the convenience and efficiency of connecting to a computer from a remote location), then gain access to an administrative account to insert the malware. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution.
After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (POS) malware and subsequently infiltrate consumer payment data via an encrypted POST request. In other words; It identifies merchants using remote access software and then attempts to brute force (systematically guess) administrative credentials. Once the credentials have been compromised, it installs malware at the POS that then exports credit card data to the bad guys.
The key is to ensure that you are using strong credentials (username/password) particularly if using remote access software which is the attack vector of this malware. The DHS warned that such malware put both the business and consumer at risk, exposing data including names, credit card numbers, email addresses, mailing address and phone numbers.
At the time of discovery and analysis, the malware variants had low to 0% anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious!
To quote the Department of Homeland Security directly, they warn “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.”
**Again, the moral of the story/warning is to ensure that you are using strong credentials (username/password) particularly if using remote access software which is the attack vector of this malware.