Warning issued over 'Backoff' point-of-sale malware

'Backoff' point-of-sale malware not currently detected by anti-virus software

The US Computer Emergency Response Team (US-CERT) has warned of new and potentially dangerous malware that is believed to have already infected some 600 retail businesses.

Known as Backoff, it first appeared in October 2013 and comes in at least three main variants. It can log keystrokes, scrape point-of-sale device memory for credit and debit card data and can send this data back to other nodes in a wider botnet. Finally, it injects a "malicious stub" into the Windows explorer.exe file.

"The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data," warns the advisory.

It continues: "Keylogging functionality is also present in most recent variants of 'Backoff'. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware."

The malware can expose customer data, including names, mailing addresses, payment card numbers, phone numbers and email addresses - all the basic ingredients for conducting identity theft.

Furthermore, the Backoff malware family is largely undetected in current anti-virus software, although signatures will be introduced soon. "Information security professionals recommend a defence in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature," states the advisory.

It also provides a precis of the retail system security strategies to minimise the risk of compromise:

Remote desktop access

• Configure the account lock-out settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorised attempts to login, either from an unauthorised user or via automated attack types like brute force;
• Limit the number of users and workstation who can log in using Remote Desktop;
• Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389);
• Change the default Remote Desktop listening port;
• Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur;
• Require two-factor authentication (2FA) for remote desktop access;
• Install a Remote Desktop Gateway to restrict access;
• Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL;
• Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks;
• Limit administrative privileges for users and applications;
• Periodically review systems (local and domain controllers) for unknown and dormant users.

Network security

• Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses;
• Segregate payment processing networks from other networks;
• Apply access control lists (ACLs) on the router configuration to limit unauthorised traffic to payment processing networks;
• Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data;
• Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash register and PoS security

• Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities;
• Install Payment Application Data Security Standard-compliant payment applications;
• Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system;
• Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible;
• Perform a binary or checksum comparison to ensure unauthorised files are not installed;
• Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation;
• Disable unnecessary ports and services, null sessions, default users and guests;
• Enable logging of events and make sure there is a process to monitor logs on a daily basis;
• Implement least privileges and ACLs on users and applications on the system.