US warns of 'Backoff,' latest entry into POS malware market

US warns of 'Backoff,' latest entry into POS malware market

Summary: US Homeland Security has warned businesses to stay on their guard against a newly-detected strain of point-of-sale malware.

TOPICS: Security
credit cnet
Credit: CNET

The US Department of Homeland Security has issued an advisory alerting businesses to the existence of Backoff, a new kind of point-of-sale malware which infiltrate retailer computer systems.

The alert, issued on Thursday (.PDF), states that Backoff has been spotted three times in forensic investigations since late 2013 and continues to operate today. The U.S. Computer Emergency Readiness Team said Backoff goes "largely undetected" by most kinds of standard anti-virus software, with detection rates ranging from low to zero.

Backoff is a point-of-sale malware family which consists of four specific capabilities found in most types of the malware. These include scraping memory for track data, keystroke logging, Command and Control (C&C) server communication and the injection of malicious stubs into explorer.exe files. Once a hacker infiltrates a network through remote desktop software and brute force attacks, the malware is then able to use these capabilities to steal credit card data from temporary memory computers, send it along to the C&C center and eventually into the hands of cybercriminals.

The DHS' 10-page advisory says that such point-of-sale malware can not only place businesses and their reputations at risk, but also could expose sensitive data including customer names, addresses, credit card numbers and phone numbers, which can then be used in identity theft or fraudulent purchases.

Joe Schumacher, security consultant at security and risk management consulting company Neohapsis commented:

"For limiting the risk of compromise with this malware, organizations should educate employees and provide an approved method for remote access. Companies should also perform network scans to see if systems have specific ports enabled to provide the remote access services, then follow up to turn off the service.

If a small organization must rely on a third-party for remote access services then trust within the industry should be examined along with security features that can be enabled for protection."

The notice comes as well-known retailers, including Target and Neiman Marcus Group have fallen foul of data breaches, resulting in the theft of millions of credit card records.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Windows only? Again?

    Hi :)
    So is this yet another reason to avoid Windows Server? or is that injection into a .exe only a tiny part of the problem?
    Regards from
    Tom :)
    • It is more than just an .exe injection.

      From reading the article, the injection into an .exe is just an additional infection vector, or a method to maintain infection.
  • I'm so fed up with cybercrime!

    First they made a fortune selling hardware, software and now it's a never ending money drain paying for security..... Somebody please tell me all the big IT companies aren't in the same class as drug dealers these days....every advertised fix a failure, every person who claims not to be spying is spying, every person who claims not to want free stuff is looking for free stuff and opening more holes in networks.... Watching the USA get stripped of trillions of dollars of investment is just disgusting
    • problem is people

      always has been. It isn't governments, corporations, etc. it is actual people that are the problem.
    • Short-term thinking is a major culprit

      One reason cybercrime is so profitable is that corporations would rather spend money on damage control after the fact than on prevention. Security is expensive. When you're focused entirely on short-term profits (excuse me: on "shareholder value") there's no reason to spend money today if you can put it off until tomorrow.
      • It's not only short term thinking....

        but also an inappropriate focus on convenience, as opposed to security or risk reduction. So many people across the board are so focused on making things convenient for themselves &/or their customers, they overlook that they are significantly increasing risk of violating security of both parties.
        And, some of it may be a misplaced trust in encryption.
        If you don't want your data compromised, reduce or eliminate access by online connections. If you must transfer data online, it may be best to limit connection times to short, irregular bursts which are harder to predict, along with rolling key encryption of the data transferred. Even so, there will be some increase of risk just by connecting.
  • Remoting in is still dicey

    Any time someone is using a VPN they better utilize the NAC client.

    There is more robust tools like GEARS frm OPSWAT that will make sure the OS is patched, antiphsing, AV up to date and turned on, etc. etc.
    • Hit Submit too soon

      It is the lousy remoting principles that allow infected machines to connect in the first place!