The United States Computer Emergency Readiness Team (US-Cert), a division of Homeland security has issued an advisory regarding a Point-of-Sale malware called "Backoff." The malicious software has been discovered in electronic cash registers in a number of retail operations – especially in smaller to medium size businesses.
Hackers are making use of remote desktop software installed on many computers to ultimately add malware to point of sale equipment.
The suspects use a brute force attack to defeat the remote desktop software. After gaining access to what is often administrator level or privileged access accounts, the suspects deploy the point-of-sale (PoS) malware and start sealing payment data. Backoff has not been mentioned as the malware used in the Target data loss but the process used was remarkably similar.
A major difference in this series of attacks is the size of the merchant. Much smaller organizations than Target or Neiman Marcus are suffering data losses. Trustwave, a federal contractor mentioned in the US-Cert advisory puts the number of businesses breached by this current wave of malware at 600 in their blog dated August 21. Various other sources are currently reporting numbers of over 1000 businesses compromised by the virus.
Putting business names to the statistics, According to their corporate website, UPS Stores Inc. has reported finding a version of Backoff in 51 of its franchised stores in 21 states. This represents about one percent of the 4,470 UPS Stores located throughout the United States.
The Company says the customer information that may have been exposed includes customers’ names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for customers who used a credit or debit card at an impacted location during this period. The Company also said they are not aware of any reports of fraud associated with the potential data compromise.
US-Cert offers a number of suggestions in three categories to assist merchants in protecting their systems. The categories deserving a stronger focus from the merchant are: Remote Desktop Access, Network Security and Point of Sale Security. Anyone even partially responsible in any of these areas would do well to implement any of the suggestions that are not already protected.
Backoff was apparently invisible to virus and malware scanning software until the virus scanning companies were tipped off by US-Cert. Merchants should broaden their efforts to all areas of their computer network. External hardening and controls are as important as time spent in other areas. I'm afraid the malware scan can no longer be viewed as the "Silver Bullet" cure for hacking. The idea of an automated network babysitter should be replaced by real human effort and intervention.