Nearly 600 U.S. businesses compromised by 'Backoff' POS malware
The Backoff malware logs keystrokes and payment card data and sends the information to remote servers controlled by the attackers.
Attackers are brute-forcing popular remote desktop software to infect point-of-sale (POS) devices with a relatively new malware known as Backoff, according to a Thursday alert issued by the United States Computer Emergency Readiness Team (US-CERT).
So far attackers have compromised nearly 600 large and small businesses all located across the United States, Karl Sigler, threat intelligence manager with Trustwave, told SCMagazine.com on Thursday, adding that the majority are food and beverage retailers.
US-CERT identified the threat in collaboration with Trustwave, as well as the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), and Financial Sector Information Sharing and Analysis Center (FS-ISAC).
“The criminals gained initial access through remote access systems set up on many POS systems for support and troubleshooting purposes,” Sigler said. “They would run a brute-force attack on the remote access system's passwords.”
Some of those systems include Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn's join.me, according to the advisory. The attackers used publicly available tools to identify businesses using remote desktop software.
Once remote access was gained, the criminals would then plant the Backoff malware on the POS devices.
“The malware monitors keyboard input and system memory for payment cards to be swiped and then sends that data to remote servers controlled by the criminals,” Sigler said. “These servers also served as command-and-control systems which could perform tasks such as remotely updating the malware.”
Information Systems & Supplies Inc. (ISS) is one of the companies that was compromised by the same Backoff malware family, a Trustwave spokesperson told SCMagazine.com in a follow-up correspondence.
ISS, a POS and security systems vendor, notified its clients on June 12 that its LogMeIn account was breached on Feb. 28, March 5 and April 18. ISS said customers of its clients likely had their payment card data accessed.
Citing unnamed sources with knowledge of the investigations, The New York Times reported on Thursday that Target, P.F. Chang's, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International were also victims of these attacks.
The Backoff malware has not been observed for sale on underground markets, Sigler said, adding the authors are believed to be the individuals carrying out the attacks. He could not provide further information due to an ongoing investigation.
Implementing stronger passwords and two-factor authentication are ways to reduce the risk being compromised, Sigler said, adding that companies should change the default ports used by remote access software since most of the brute-forcing software was automatically scanning for defaults.
“Monitoring outbound network traffic either through your firewall or router logs for strange traffic, or traffic destined to systems outside your control, could help organizations flag malware early,” Sigler said.