Bad passwords on PoS terminals lead to card stealing Backoff malware

DHS250The US Computer Emergency Readiness Team (US-CERT) sent out an alert this week warning retailers of a new malware variant called “Backoff” that is designed to steal credit card data.

While the malware is from a different family than others we have analyzed, like Trackr, the idea is the same.

Infect computers used for accepting credit card payments at retailers, scrape the RAM looking for the unencrypted card data and exfiltrate the stolen information back to the criminals.

This malware isn’t terribly new, but has been showing up more frequently in point of sale (PoS) compromises of late. The oldest variants go back to the last few months of 2013, around the time the Target breach garnered the world’s attention.

The infection method is a bit more novel, though. It appears the criminals behind this malware aren’t using zero-day exploits, web drive-by attacks, or email phishing to ensnare their victims. No, they are using your own IT tools to attack you.

They are “repurposing” remote control tools like Microsoft Remote Desktop (RDP), Apple Remote Desktop and LogMeIn to gain administrative access to these payment systems.

There is nothing malicious about these tools themselves, but when improperly deployed they present a very tempting backdoor to your systems.

MS-RDP250This isn’t the first time we have seen abuse of these tools. It turns out a whole lot of establishments with far flung retail operations rely on internet accessible remote control solutions to help with the fact that most stores have no on-site IT personnnel.

Making things worse, many point of sale outsourcing companies deploy these tools with common passwords across their customer base or use passwords that are easily guessed based on the customer name or brand of PoS.

It is always upsetting to hear about the thousands of people everyday who have their email, social media and bank accounts accessed illegally by criminals who have guessed their password.

This type of situation shouldn’t happen considering these remote access tools are being deployed by people claiming to be IT professionals.

It also highlights the importance of performing penetration tests on a regular basis. All organizations should be aware of any machines that are remotely accessible and ensure they have adequate security in place.

Application control and network monitoring can help detect the presence of connections to these systems as well. Careful monitoring should be able to detect or prevent unexpected or unauthorized remote connection attempts.

Sophos products detect this malware as Troj/BckOff-A, TrojBckOff-B and Troj/Agent-AGXX. Many customers also received advanced protection through the use of Sophos Live Protection.