Business alert: backoff malware affecting POS systems

By 

US_Department_of_Homeland_SecurityIt seems a new type of malware is on the loose and took America by storm; almost a 1000 businesses have been affected since 2013. Fortunately the United Secret Service had released a detailed warning about the malware, not in time to save those businesses but hopefully in time for businesses here in South Africa.

South Africa has been a Cyber-crime hot spot for some years now and hopefully this warning against the BackOff will catch retailers and consumers in time.

What is BackOff?

BackOff is a family of malware. That’s right- a family, meaning that there are variations to this strain of malware, which as of 31st of July 2014 was still largely undetected by most anti-virus. BackOff is a malware type called RAM scraper, because it steals clear-text payment card data out of RAM (Random Access Memory) on point-of-sale (PoS) computers.

BackOff Capabilities and Execution Flow

The first step that the cyber Tsotsi’s will take as with most Tsotsi’s is to identify poorly protected systems and gain access through remote desktop applications such as Microsoft RDP and LogMeIn. They would then “brute force” their way through by guessing the administrator passwords which would be easy if your system has already been identified as poorly secured.

As if remote desktop-ing into your systems wasn’t exposure enough they then load the BackOff malware. Once the malware is installed it can then goes through the RAM and collects all the payment data that’s going through the system. My favourite part is how it sneaks out the data through an encrypted web upload (HTTP POST) to servers controlled by the Cyber t Tsotsi’s. The criminals have the sense to encrypt their data.

That was the first variation of BackOff, subsequent variations have a general purpose command-and-control (C&C) function that can also update the malware, uninstall it, or download yet more malware.

But wait there is more, further variations have key logging functionality embedded enabling BackOffto steal keystrokes such as passwords.

backdoor flow

What can be done?

Homeland Security and United States Secret Service have come up with some strong suggestions in the following areas:

  • Remote Desktop Access
  • Network Security
  • Cash Register and POS Security
  • Incident Response

Full details can be found in the following report – Backoff: New Point of Sale Malware.

The guys at naked security have summarised some of the suggestions below.

  1. Segregate your networks. Shield your PoS computers from the all-purpose computers in your business.
  1. Limit the applications allowed on your PoS computers. Consider using Application Control to be notified if someone or something tries to install risky software on a cash register.
  1. If your anti-virus has a Live Protection service, make sure it is on and working. With a suitable firewall rule, your PoS computers can benefit from almost-instant updates when new threats emerge.
  1. Don’t ignore warning signs. Target failed to react to reports from its own IT support centre that would probably have led to much earlier detection and remediation of its massive malware infestation.
  1. If your anti-virus has a Host Intrusion Prevention System (HIPS),use it on your PoS computers. Software behaviour on a PoS system ought not to change without warning, so deviations are always worth blocking and investigating.
  1. Review your remote access policies and procedures. Consider requiring the use of a Virtual Private Network (VPN) with two-factor authentication (2FA) support.

My greatest fear is that South African businesses are not ready for this and the syndicates will get a hold of this malware and catch us all unprepared. Also perhaps by now the anti-virus companies have updated their definitions to cover BackOff and the most important step for security admins is updating their anti-virus definitions.

On CyberSentinel.co.za. August 26, 2014

Visited 33 times, 1 visit(s) today