Sophos Cloud Optix
It now appears that the string of recent data breaches at US retail establishments was not a coincidence, but rather related attacks using the same malicious software kit.
In a security advisory from the US Secret Service dated 22 August 2014, obtained by the New York Times, the government said the malware known as Backoff has struck more than 1000 US companies since October 2013.
US government agencies including the Secret Service first publicly warned businesses of the Backoff malware in a bulletin on 31 July 2014, but only now is the extent of the malware’s reach becoming clear.
Backoff is a type of malware called a RAM scraper, because it steals clear-text payment card data out of RAM (Random Access Memory) on point-of-sale (PoS) computers.
The recent Secret Service bulletin doesn’t name any of the impacted businesses, but does say that seven PoS system providers have confirmed that they have had “multiple clients” infected with the Backoff malware:
Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1000 U.S. businesses are affected.
Even though the report doesn’t name any victims, you may have read speculation that Backoff is the same malware that turned up in Target’s breach, or that it is the malware behind recently-announced breaches such as the one at UPS Stores.
We’re not aware of any evidence to support either of those theories, but we’re not convinced that it really matters, anyway.
Your security goal should ideally be a defense-in-depth strategy that helps to protect against any and all malware, as well as against a range of other potential security problems.
Backoff – what it does
The cybercrooks behind the Backoff malware seem to have focused on poorly-secured systems, breaking in by means of remote access applications such as Microsoft Remote Desktop (RDP), Apple Remote Desktop and LogMeIn.
According to the US Computer Emergency Readiness Team (US-CERT), the criminals use publicly available tools to locate businesses that use these remote desktop tools and then simply guess at the necessary passwords to gain administrator access.
Then the criminals are able to deploy the Backoff malware, which scrapes the PoS system’s memory for payment data and sneaks it out of the infected network hidden in an encrypted web upload (an HTTP POST request) to servers controlled by the crooks.
Additionally, Backoff has a general purpose command-and-control (C&C) function that can also update the malware, uninstall it, or download yet more malware.
US-CERT’s alert says researchers have identified three primary variants of Backoff, which have been around since as far back as October 2013.
Since that time, Backoff has added keylogging functionality, which it can use to steal keystrokes such as passwords.
How to stay safe
US-CERT has updated its alert to advise businesses on ways to mitigate Backoff.
Naked Security writer and Sophos Senior Security Advisor Chester Wisniewski has some further advice:
Application control and network monitoring can help detect the presence of connections to these systems as well. Careful monitoring should be able to detect or prevent unexpected or unauthorized remote connection attempts.
Tips for businesses
- Segregate your networks. Shield your PoS computers from the all-purpose computers in your business.
- Limit the applications allowed on your PoS computers. Consider using Application Control to be notified if someone or something tries to install risky software on a cash register.
- If your anti-virus has a Live Protection service, make sure it is on and working. With a suitable firewall rule, your PoS computers can benefit from almost-instant updates when new threats emerge.
- Don’t ignore warning signs. Target failed to react to reports from its own IT support center that would probably have led to much earlier detection and remediation of its massive malware infestation.
- If your anti-virus has a Host Intrusion Prevention System (HIPS), use it on your PoS computers. Software behavior on a PoS system ought not to change without warning, so deviations are always worth blocking and investigating. (See also #2 and #4.)
- Review your remote access policies and procedures. Consider requiring the use of a Virtual Private Network (VPN) with two-factor authentication (2FA) support.
(Audio player above not working? Download the MP3, or listen on Soundcloud.)
Tips for consumers
As for the rest of us – the consumers – we may not know for some time which businesses were victimized by the Backoff gang.
Our advice is to keep careful track of your bank account and credit card statements and watch for suspicious charges.
And next time you go to swipe your card, you might want to think about using checks or cash instead of plastic.
Image of credit card security courtesy of Shutterstock.
How about this simple tip. Don’t have your pos computer connected to the internet.
Most companies process credit cards on high speed internet connections. Also the internet is just one small facet of the problem most systems have USB ports that can be compromised as well. As the author eluded to security for POS systems requires multiple layers of defense.
This isn’t rocket surgery. The problem is mostly complacency, not ignorance. The required data rate to/from POS terminals is almost nothing. If all POS terminals on a site are on their own physical LAN then a single low performance router/firewall dedicated to constraining those POS terms to talking only with the manufacture (MS etc) and card processors (preferably over a VPN) would cost maybe $20. Even if not isolated on their own LAN, then they could be put on their own subnet and routing rules in the main router on site could do the same for that subnet. The problem is that if a retail location trains management and employees on how and why this should be done they are basically training them in how to defeat it and just how vulnerable the POS network is. Also, the list of “ok” sites would make it much more clear just how many other connections the POS terminals may make by design that are somewhat defensible, if embarrassing, like to customer loyalty program sites and other data gathering partners. I’m guessing about that last, but it isn’t a stretch.
Unfortunately the Internet is the medium of communication used by PoS computers to process payments…
Tricky in the case of a large organisation which requires near live updates on sale, or indeed the ability to upgrade POS software without having to send staff over to every single store- very expensive!
It’s yet another argument for America to start using Chip & Pin however.
It’s not foolproof, by any means, but it certainly helps.
EMV solves the counterfeit card dilemma. It does nothing to encrypt the card holder data once it enters the POS. The answer is a three pronged approach: EMV, Validated P2PE and Tokenization.
Good point. We configure many customer networks over a secure MPLS network with a secure link to the customer’s credit card clearing house. i.e.) No Internet to transmit the stolen data.
Or Frame Relay.
Most retailers are forced to deploy technology at the lowest possible cost. MPLS is much more expensive than a DSL link that I have seen at many retail stores or distribution warehouses and many stores are still updating imbedded Windows XP PoS systems.
I have seen many elegant systems protecting a network from outside, WAN, intrusion with the LAN side left naked from any security rules because the facility users don’t want to have to keep calling an engineer back for collisions with security rues as new needs occur.
I guess the question this leaves me with is how these systems are getting compromised. It doesn’t take much in a firewall to prevent LogMeIn or RDP from the outside. That should leave the only threat as coming from the LAN or from over the VPN or an attached local device like a USB stick, Those can be restricted by the firewall or policies on the actual computer.
What is the number one thing to do? Restrict WAN outbound traffic to known parties and filter rules for LAN side traffic so that it is policed for acceptable behavior as well as inbound and outbound monitoring of traffic and remember all data is unsecured at the time of presentation to the user even if stored in a heavily encrypted data base system.
As we’ve written elsewhere (e.g. search for “Signature Systems”), at least some of these breaches are down to the sloppiest sort of password hygiene you can imagine: PoS outsourcing companies with a single, easily guessable remote access password.
That’s not just one password (with no two-factor authentication) for multiple branches in a franchise, which would be bad enough, but often one password for multiple branches at multiple customers.
See, for instance:
http://nakedsecurity.sophos.com/2014/09/29/point-of-sale-vendor-loses-password-causes-breaches-at-324-us-restaurants/
Aaaaaaaaaaaaaaaaaargh.
According to this article, Apple Remote Destop is a possible breaching point, however the Backoff malware only attacks Windows based POS systems, and ARD does not work with those.
The remote access software is not directly used by the malware. It’s just (so far as I am aware) that the guys behind Backoff seem to like to use remote access tools to get inside your network in to unleash their malware.
It’s a bit like crooks stealing your wheels by breaking into your house, not directly into your car.
Once inside your house, they rummage around until they find your car keys and your garage door opener, let themselves into the garage via the back door and drive off just like you usually do.
In the Backoff case, the remote access computers are part of the cybercrime *journey*, not its *destination*…