Alert: Beware POS Malware Backoff

CERT-In Issues Alert, Offers Mitigation Tips
Alert: Beware POS Malware Backoff

Taking cues from the United States Secret Service and Department of Homeland Security, CERT-In has issued an advisory about the Backoff point-of-sale malware, which is said to have infected more than 1,000 U.S. merchants.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge

Experts note that there are no reported cases of Backoff infections in India so far, but caution against organizations taking a complacent attitude.

"The malware propagates by scanning for systems with remote desktop applications enabled," the advisory says. "Successful compromise allows the attacker to infect the system further with the POS malware that can steal customer payment card data."

Similar to other POS malware such as Scraper, Dexter etc., Backoff uses a technique known as "RAM Scraping" to steal credit card and transaction information for malicious purposes. Backoff has been linked to numerous remote-access attacks on POS systems, especially on small merchants in the U.S. In a typical attack, hackers exploit remote-access vulnerabilities on POS systems to install the malware and exfiltrate data.

Backoff is known to be capable of scraping memory for track I and II data, logging keystrokes and injecting a malicious stub into explorer.exe to maintain persistence. Backoff has five identified variants and has been implicated in the recent UPS Stores breach as well, although UPS has yet to confirm that the malware was indeed Backoff.

'Appropriate Precautions'

In response to queries from Information Security Media Group, a senior official at CERT-In says the advisory was released in response to the malware activities emerging globally. Although there are currently no reported incidents from India, CERT-In has advised organizations, merchants and users to take appropriate precautions to prevent infections and card data leakage.

The CERT-In official says merchants and banks deploying POS systems and online services need to assess the risk of compromise of their networks. While adopting security best practices and conducting periodic audits will help in mitigating the risk, the systems need to be segregated according to their criticality. Applications and services that are essentially needed should only be enabled on critical systems.

CERT-In notes that administrative privileges to user accounts need to be judiciously provided, and appropriate devices such as IPS, firewalls and UTM should be deployed and monitored at the perimeter of networks.

Some salient points in the advised countermeasures include:

  • Keep all POS systems thoroughly updated;
  • Watch for incorrect login attempts, and monitor authentication logs for repetitive failed login attempts;
  • Allow RDP login on an as-needed basis;
  • Ensure that the networks where POS systems reside are properly segmented from the non-payment network.

Wait and Watch

Dharshan Shantamurthy, CEO at Bengaluru-based SISA, a compliance services and training provider, says that it is a wait-and-watch situation in India. CERT-In had released another notification around the BrutePOS malware in August, but there are no reported breakouts, he notes. The immediate solution that SISA has suggested to its clients is to ensure that none of these POS systems can be accessed remotely.

"The challenges facing mitigation are threefold," Shantamurthy says. "Lack of awareness and use of outdated and legacy systems by small and medium merchants exacerbates this risk, in addition to the fact that most of these systems do not reside on segmented, secure networks."

Vendors have yet to release a Backoff patch. Until they do, the industry needs to tread carefully, he cautions.

Prateek Rastogi, managing consultant at Trustwave, the firm originally credited with discovery of Backoff, advises organizations to revisit their payment security programs and consult with their IT security and point of sale (POS) vendors, banks and payment partners, as a matter of urgency. Ensuring proper implementation and maintenance of the security controls outlined in PCI DSS will help, he says.

About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.