Backoff PoS Malware Boomed In Q3

[humble3d]

Backoff PoS Malware Boomed In Q3

The security firm Damballa detected a 57% increase in infections of the notorious Backoff

malware from August to September.

Try as they might, retailers don't seem to be able to get the Backoff malware to actually

back off.

According to a new report from the security firm Damballa, detections of the notorious

point-of-sale (PoS) malware jumped 57% from August to September. During the month of

September alone, Backoff infections increased 27%.

This year, the Secret Service estimated that as many as 1,000 US businesses may be infected

by the malware. That list of impacted businesses features some big names, including United

Parcel Service (UPS) and Dairy Queen.

According to Damballa, the increase demonstrates that the malware is bypassing network

prevention controls, and it underscores the importance of ensuring that PoS traffic is

visible.

"In many cases, the PoS systems are free-standing from the corporate network," says Damballa

CTO Brian Foster. "They connect to local networks, which have limited security. Without this

visibility, it's impossible to discover the device is communicating with criminal command

and control."

In addition, many PoS devices are accessible via remote access software for tasks such as

software upgrades and patches, providing yet another avenue for compromise, Foster says.

In an advisory issued this summer, US-CERT said that attackers were using remote desktop

tools such as Splashtop 2, LogMeIn, and Apple Remote Desktop as a convenient way to deploy

PoS malware and steal data.

Curt Wilson, senior research analyst for Arbor Networks' ASERT team says companies that

provide for the deployment and ongoing remote support to merchants that run PoS systems

should implement strong security, because they are a target.

"If a PoS provider is compromised, the attackers typically obtain access to all their

customer deployments via remote access capabilities, leading to complex, distributed

compromise," Wilson says. "Strong authentication may provide an extra layer of defense in

such a case, unless the strong authentication process is also compromised. Organizations,

especially smaller to midsized organizations, should be aware of the potential of remote

support being compromised."

All connectivity associated with PoS systems -- even connectivity that appears to be

authorized -- should be audited on a regular basis, he says. Merchants purchasing PoS

infrastructure should look into the provider's security posture and go elsewhere if they

judge the security to be lax or if the appropriate contractual obligations cannot be met.

"Retailers should be implementing best practice security and application controls to prevent

this type of malware," says Mike Davis, CTO of CounterTack. "Preventing outbound network

connections except to known company owned servers… preventing the saving of data on the PoS

except from the PoS software itself, and proper file and disk permissions would have

prevented Backoff from working. The problem is, implementing all of this prevention is

incredibly difficult, prone to errors, and takes a long time to deploy across the

enterprise."

Foster says that, as long as Backoff continues to be effective, organizations should expect

it to stick around. "Think of it as the malware du jour. As long as it works, threat actors

will keep using it. As soon as its effectiveness diminishes, they will use something else."

http://www.darkreading.com/attacks-breaches/backoff-pos-malware-boomed-in-q3/d/d-id/1316957?