The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems. The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., LogMeIn), a reoccurring threat we discussed last month here following a Visa Security Alert. After gaining access, the attackers deploy the Backoff malware, which logs keystrokes and scrapes memory for payment card data. The malware also communicates with a command and control server for several purposes, including downloading updates and exfiltrating card data.
When the Secret Service updated the Alert on August 22, it drew headlines because it estimated that over 1,000 businesses are affected. And, even though not expressly stated in the Alert, media reports on the Alert connected its use to the attacks on Target and other retailers. The Secret Service did not elaborate on the types of businesses that were part of the 1,000 it estimates to be affected, but it did note that it had heard from seven POS system providers that they have had multiple clients affected. Obviously, if many of the victims are single location micro-merchants, the 1,000 affected companies estimate is less ominous. As the anti-virus vendors update their tools to include signatures for the known Backoff variants, the affected companies may begin to discover and report on the attack if they review their logs or if they receive a common-point-of-purchase report.
The defense-in-depth security recommendations offered by the Alert are mostly PCI-DSS requirements, including securely using remote access tools, network segmentation, adjusting firewall configurations, logging, access controls, and patching. The Alert also recommends using tools to detect exfiltration and anomalous behavior by legitimate users, as well as moving to hardware-based point-to-point encryption and EMV-enabled devices.
As reports about these attacks continue to surface, expect to see: (1) more calls for faster adoption of EMV (even though it is not a security solution—it a counterfeit fraud solution); (2) demands by banks that issue payment cards for laws that allow them to recover from the merchants that were attacked (even though all of the card brands have programs to reimburse affected issuers); and (3) continued interest by merchants in implementing point-to-point encryption and tokenization so that payment card data is never in the clear in their or their vendors’ environments.