1,000 Businesses Hit By POS Malware

DHS Issues Updated Alert about 'Backoff' Threat
1,000 Businesses Hit By POS Malware

The Secret Service now estimates that more than 1,000 U.S. businesses have had their systems infected by Backoff, a new point-of-sale malware that has been linked to numerous remote-access attacks (see Emerging POS Attacks Target Small Merchants).

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

On Aug. 22, the Department of Homeland security, which first issued an advisory July 31 about the risks Backoff posed to U.S. business - particularly smaller merchants - warned U.S. businesses that they may have already have been unknowingly compromised.

Now the DHS is encouraging all businesses, regardless of size, to scan their POS systems for a possible compromise.

"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware," the DHS notes in its new advisory. "Seven POS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected."

Backoff typically exploits businesses' administrator accounts through remote-access software and then exfiltrates consumer cardholder data, the DHS warns.

"DHS strongly recommends actively contacting your IT team, anti-virus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised," according to the Aug. 22 advisory. "The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this POS malware. Companies that believe they have been the victim of this malware should contact their local Secret Service field office and may contact the NCCIC [National Cybersecurity and Communications Integration Center] for additional information."

Remote Access

Security and forensics firm Trustwave, which first identified and named Backoff, says remote-access compromises have been to blame for all of the Backoff infections it has investigated to date.

Commonly used remote desktop applications that may have been compromised include LogMeIn Join.me, Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and Pulseway, the DHS says.

In June, Vancouver, Wash.-based Information Systems & Supplies Inc., a POS vendor that caters to the food-service industry, notified customers that a compromise of its LogMeIn account likely exposed card data associated with POS transactions conducted between Feb. 28 and April 18 of this year.

And then, in late July, the Delaware Restaurant Association notified its membership of a possible LogMeIn compromise that may have exposed card data at a yet-to-be-determined number of Delaware restaurants (see Restaurant Association Warns of Breach).

Most recently, New Orleans restaurant Mizado Cocina on Aug. 19 confirmed that its POS network had been compromised by Backoff. And on Aug. 21, UPS Stores announced that it, too, had suffered a POS compromise linked to retail malware the DHS warned about on July 31 (see New Breaches Tied to Evasive Malware).

UPS, however, has not yet confirmed that the malware used in the attack, which affected 51 of its stores, was, in fact, Backoff.

Whether other high-profile retail breaches, such as the breaches suffered by Target Corp., Neiman Marcus, Sally Beauty, and grocery chains Supervalu and Albertsons, are related to the same Backoff malware has not been revealed by federal authorities.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network