Rippleshot Blog

"Backoff" Point-of-Sale Malware: What You Need To Know

Posted by Zach Walker on Sep 8, 2014 10:44:00 AM
Find me on:


On July 31, the Department of Homeland Security, along with the National Cybersecurity and Communications Integration Center, the Secret Service, issued an alert, warning retailers across the United States of a new strain of malware dubbed "Backoff" and the devastating effects it can have if cybercriminals gain unauthorized access via this malicious software. As far as security experts know, the malicious software that played a part in the data breaches at Target, Supervalu, UPS stores, and recently Kmart has also affected over 1,000 American businesses.

What Is Backoff?

Over the past year, the Secret Service has responded to various reports of network intrusions throughout the United States, linking the affected businesses to a "family" of PoS malware we now know as “Backoff." According to the United States Computer Emergency Readiness Team (US-CERT) there are various strains of this particular malware that have been spotted as far back as October 2013.

Security experts have discovered that this family of malware contains 4 malicious capabilities that enable cybercriminals access to POS systems including:

  • Scraping memory for track data (The malware examines the system's memory for sensitive data)
  • Logging keystrokes (Tracks or logs the keys struck on a keyboard)
  • Command & control (C2) communication (This uploads the discovered data and updates the malware within the retailers systems)
  • Injecting malicious stub into explorer.exe ( This allows the malware to maintain its connection in the event that the malware crashes or is forcefully stopped by a security team)

How to Help Mitigate Your Risk

Following the warning issued by the Secret Service, Department of Homeland Security and organizations such as the PCI Security Standards Council, have issued a bulletin urging retailers to review their security protocols and controls immediately. Their recommendations included:

Require All Staff and Default Passwords be Updated With New and Secure Passwords

The reality is that is that most people, even when given unlimited options when creating a unique password, choose passwords that can be easily cracked. By requiring that passwords are both unique in terms of length and complexity can help thwart or minimize the effect of a brute force attack. Additionally, your systems should be configured to lock out potential hackers after repeated unsuccessful password attempts.

Limit Users and Access.

In the US-CERT alert, the Department of Homeland Security recommends that organizations review the levels of access granted to it's employees that use remote access, ensuring that only individuals that need administrative privileges are the ones who actually need it. Regarding POS terminals, the DHS recommends that an organizations' terminals be used only to process transactions and deny access to its' secondary functions such as web browsing and email access.

Periodically Review Systems for Unknown Users.

As of the writing this article, Symantec, appears to have the only detectable software to detect the Trojan "Backoff" malware. However, the Department of Homeland Security is working with a number of security professionals to make "Backoff" malware detectable with the readily available antivirus solutions.

Use Multi-Factor Authentication.

If your organization isn't already, consider implementing a two-factor authentication procedure when logging in. Multi-factor authentication procedures add additional layers of security by combining two or more types of credentials; including password, a security token and another form of verification.

Change the Default Remote Desktop Listening Port.

As noted in US-CERT alert, cybercriminals were attempting to gain access by searching for the default port used by many remote desktop applications that many organizations use for administrators who work remotely. By changing the default listening port, your remote desktop applications become more difficult to locate for cybercriminals.

As more information becomes available regarding "Backoff" malware, we will continue to update this post, so stayed tuned.

Topics: Industry News