The United States Secret Service (USSS) bulletin about the “Backoff” malware states, “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected.” By some estimates, this translates to the possibility that over 1,000 U.S. businesses are affected. Customer facing companies are well-advised to proactively check for possible PoS (Point of Sale) malware infections.
The “Backoff” malware is based on security loopholes that have been around for quite a while. It infiltrates PoS networks, not via some next generation password cracker, but just bad password and common administration tools left easily accessible—both caused by human error. Especially alarming is the trend of system integrators or developers leaving default usernames and passwords on these devices.
Jérôme Segura is a senior security researcher at Malwarebytes, where he works closely with the security community to report on website compromises, malicious advertisements and consumer fraud. He explains, “The malware is the end result of a number of factors that take advantage of weak network security. With this particular case, attackers perform repeated login attempts (brute force) on remote control software often used by businesses to give employees remote access. The combination of poor passwords and lack of proper user access control grants the bad guys full access onto internal networks where they can load their malware.”
Coming soon after the widespread of the Heartbleed bug, the “Backoff” malware only highlights the need for businesses and credit card companies to pay more attention to cyber security. Bob West, Chief Trust Officer at CipherCloud, a leader in cloud information protection, backs this concern. “The frequency, severity and impact of data breaches highlights the critical need for businesses to protect sensitive and personal information from unauthorized access, particularly in the cloud. Similar to how information is managed within a corporate network.”
A PoS system that has been compromised impacts the consumer as well as the business. Consumer data such as names, credit/debit card numbers, mailing address, email and other data may be exposed to hackers, possibly leading to fraudulent credit card transactions, hacked bank accounts and even identity theft.
“Backoff” has already tarnished the reputation of several retail businesses, including UPS, Target and Supervalu. Segura shares some insights into the impact of PoS terminals being infected with “Backoff” or other similar malware. “The immediate risks are fraudulent purchases and bank account compromises while long term effects could be identity theft for various purposes. The impact on businesses has already been felt by companies like Target, which has suffered a dramatic drop in profits (46 percent, compared to the same period the year before) not to mention a lasting negative effect on its brand.”
West believes that the impact of such security breaches is not just limited to financial frauds. The departure of Target’s CEO Gregg Steinhafel shows that mere compliance to security regulations is not enough. Members of the company’s management team, and even the board, need to understand the basics of cyber security to determine the real risk to their company and make informed decisions. West states, “The impact [of the “Backoff” malware] is expanding. The Target breach validates that security is a boardroom concern. Executive team members, including the CEO, can lose their positions. At the end of the day, a big security breach undermines customer trust and damages a company’s reputation.”
How to check whether your business been infected
Though the “Backoff” malware was first detected back in October 2013, most antivirus software solutions still do not recognize it. Therefore, businesses need to proactively check whether they have been infected. How can businesses do this? West and Seruga both advise to refer back to the US CERT advisory. Seruga elaborates, “This gives companies a better understanding of the threat as well as Indicators of Compromise (IOCs). These include the malware names, hashes, locations, and network traffic captures that a systems administrator can use to perform a forensic investigation.” West also adds, “This advisory led UPS to search and detect the PoS breach of 51 retail stores. Also, the Secret Service is contacting infected businesses as they are identified.”
Prevention is always better
Prevention is always better than cure, and also perhaps the only way to stop the “Backoff” malware. Segura leads the way sharing some insights on preventive methods. “By applying two-factor authentication, strong passwords, keeping systems up-to-date with proper security solutions, and performing regular network log reviews, companies greatly reduce the risk of suffering a breach.”
West proposes some concrete steps for businesses to protect themselves
Internally, make sure to
- Create a subnet to isolate PoS systems from the rest of the corporate network
- Encrypt payment card information end-to-end from the card reader to the PoS software
For external vendors
- Limit the number of vendors that have access to internal networks and devices
- Contact antivirus vendor(s), managed service provider(s), and PoS system vendor to assess whether technology assets may be vulnerable or compromised.
However, Segura concludes with a word of caution. “Since there’s no such thing as 100 percent security, companies should also have a plan and team ready for any incident response