New Breaches Tied to Evasive MalwareBackoff Malware Strikes New Orleans Restaurant, Perhaps UPS
As news of a malware attack that compromised some 105,000 point-of-sale transactions at UPS Stores begins to unfold, a restaurant in New Orleans announces that it has been targeted by Backoff, an emerging POS malware strain that is hitting smaller merchants across the U.S.
See Also: Key Cybercrime Trends in 2016
UPS says it initiated an investigation into possible POS network intrusions after federal authorities issued an alert about emerging malware, including the new memory-scraping POS malware known as Backoff, which has been identified in a handful of recent forensics investigations tied to retail breaches.
On July 31, the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center issued the alert about Backoff, which typically infects POS systems through the compromise of a remote-access portal.
Experts say that what makes Backoff attacks so fruitful is that they are typically waged against numerous merchants simultaneously through the exploit of a remote-access or third-party vulnerability.
And while details surrounding the breach at UPS, as well the breach involving New Orleans restaurant Mizado Cocina, are just emerging, industry experts speculate that most of these recent breaches could be related - and linked to a remote-access attack or third-party breach, similar to the one that compromised Target Corp. in late 2013.
Compliance and risk-management professional Paul Reymann of bank advisory firm McGovern Smith Advisors, says non-regulated third parties need to be held to a higher standard.
Merchants, payment processors, banking institutions, software providers and other third parties must be more diligent about protecting the portals that allow hackers in, experts contend. And securing remote-access ports is a good place to start.
UPS has declined to comment about whether the malware it found on its POS systems was, indeed, Backoff, noting that its investigation into the breach is ongoing. But Mizado Cocina already has confirmed that Backoff was the malware used in its breach.
"We're still continuing the investigation," says UPS spokeswoman Chelsea Lee. "The reason we issued the notification now was to alert potentially impacted customers."
"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," says UPS Store President Tim Davis.
Mizado Cocina's Breach
In an FAQ issued Aug. 19, Mizado Cocino says its breach appears to have compromised credit and debit transactions conducted between May 9 and July 18.
"The restaurant had originally been alerted earlier this summer by concerned guests who had received fraudulent charges soon after dining at Mizado Cocina," the FAQ states. The restaurant's IT company subsequently scanned the system and quarantined the suspicious malware and replaced affected hardware on July 18.
"The U.S. Secret Service was contacted, as well as credit card processors and forensics experts, and an immediate investigation was initiated to better understand the nature and scope of the incident," the restaurant says.
"While the exact type of virus [Backoff] was not specifically identified until July 31, the forensic analysis confirmed that IT's security scan had successfully eliminated the malware and the security compromise was contained," the restaurant says. "Mizado has been safely and securely processing credit cards with full protection since July 18."
Credit and debit card information, including card number, cardholder name, expiration date and card verification value - the security code typically used to authenticate e-commerce and other card-not-present transactions - may have been exposed during the breach. But credit and debit cards used since July 18 have been processed securely, the restaurant says.
The number of cards potentially breached has not been revealed, but Mizado Cocina is providing identity theft protection to all impacted cardholders for 12 months beginning Aug. 22. UPS also is offering a year's worth of ID theft protection through the same company, AllCear ID.
Federal authorities say that three recent investigations involving retail breaches linked to Backoff determined that hackers used publicly available tools to locate businesses that use remote desktop applications, such as LogMeIn Join.me, Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and Pulseway, DHS says.
One of those investigations, confirms forensics investigation firm Trustwave, involved the LogMeIn breach that compromised independent POS systems provider Information Systems & Supplies Inc., which Information Security Media Group first reported in early July (see POS Vendor: Possible Restaurant Breach).
Mizado Cocina is one of four New Orleans' food-service businesses that are managed and operated by Taste Buds Inc.. Taste Buds also owns restaurants Zea Rotisserie & Grill and Semolina, as well as catering company Taste Buds Catering & Events.
Whether all of these brands share the same network or payments processor is not clear. But Taste Buds spokeswoman Gretchen Hirt says none of the other brands appear to have been affected by the attack. "Every store that Taste Buds operates has been scanned with multiple tools, and has had a technical review," she says. "No other location was compromised or showed any indication of a compromise."
Hirt also says there is no conclusive evidence to suggest that the Mizado Cocina breach was linked to a compromise of LogMeIn credentials, although she did not elaborate.
Known Retail Weaknesses
Financial fraud expert Avivah Litan, an analyst at Gartner, says restaurants are prime targets for hackers, so it's critical that more be done to help these merchants detect potential malware attacks and data leaks sooner.
"Restaurant POS software is a major target for the hackers and will continue to be until the vendors and processors tighten up the security in the software and in the payments process," Litan says. "It's futile and unproductive to ask small businesses to do this - i.e., tighten up the security - because most of them have no competency or resources in this area. And it's also totally inefficient to expect small businesses to patch a leaky system. The vendors, payment processors and banks need to do that."
Gaining access to POS systems through remote-access portals is the easiest way for hackers to plant malware on these systems, she contends.
In late July, the Delaware Restaurants Association issued an alert to its members about reports from Delaware restaurants that their POS systems may have been compromised by a breach of LogMeIn, a remote access software typically used in conjunction with restaurant POS systems (see Restaurant Association Warns of Breach).
"Those doors should be locked up sooner rather than later, with simple measures such as two-factor and context aware authentication," Litan says. "This measure would make it much harder - though not impossible - for the hackers to get through."
Tied to Processor?
Andrew Komarov, a threat researcher and CEO of cyberintelligence firm IntelCrawler, says the breach affecting Mizado Cocina was likely an isolated remote-access attack.
"Most restaurants are compromised through remote administration tools and poor password security," he says. "But most of them are franchised; that's why, in most cases, their security is absolutely decentralized."
Because Mizado Cocina is not a franchise or part of a chain, its breach is probably contained, Komarov contends.
But Tom Kellermann, chief cybersecurity officer at online security and forensics firm Trend Micro, says he suspects the breach at Mizado Cocina is related to a regional third-party payments processor, which likely was compromised and then used as a conduit to numerous merchants' POS systems. If that's the case, then other merchants in the New Orleans area have probably been affected, he says.
"The hacker community shares information on who the processors are," Kellermann explains. "It is important to note the current security controls and standards for payment processors are inadequate when facing memory-scraping malware and targeted attacks. Host-based intrusion prevention systems and breach-detection systems are paramount to stemming this crime wave."
(News writer Jeffrey Roman contributed to this report.)