The Department of Homeland Security yesterday issued an alert about a point-of-sale malware that was used in a string of recent attacks by cyber criminals. Dubbed Backoff, the malware has been witnessed on at least three separate forensic investigations since late 2013 and continues to operate today.
According to US-CERT, the malware is capable of: scraping memory for track data from credit card swipes, which lets hackers obtain the account number on the card as well as create fraudulent cards; logging keystrokes; command & control (C2) communication, a component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware; and injecting malicious stub into explorer.exe, so that the in-memory component can be reloaded if it crashes.
The alert was prepared in cooperation with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs.
“The criminals gained initial access through remote access systems set up on many POS systems for support and troubleshooting purposes,” said Karl Sigler, threat intelligence manager with Trustwave. Some of those remote access systems include Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn’s Join.Me.
Hackers would then run a brute-force attack on the remote access system’s passwords, and plant the malware on the POS devices once the access is gained.
Sigler also revealed that more than 600 businesses, mostly food and beverage retailers, have been compromised by the malware. Although the US-CERT says that currently most of the anti-virus software is unable to detect the malware, it advises users to maintain an up‐to‐date version of the software installed on their system.