Emerging POS Attacks Target Small Merchants

Why Researchers Say Remote Access Risks Are Growing
Emerging POS Attacks Target Small Merchants

A new point-of-sale malware strain known as Backoff has been linked to numerous remote-access attacks, putting small merchants at greatest risk, according to an alert from federal authorities.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

The alert from the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center notes that Backoff is a recently discovered family of POS malware that has now been identified in at least three separate forensic investigations.

One of those investigations, confirms forensics investigation firm Trustwave, involved the LogMeIn breach that compromised independent POS systems provider Information Systems & Supplies Inc., which Information Security Media Group first reported in early July (see POS Vendor: Possible Restaurant Breach).

"Similar attacks have been noted in previous POS malware campaigns, and some studies state that targeting the remote desktop protocol with brute force attacks is on the rise," the alert states.

Remote-Access Vulnerabilities

Investigations into recent retail compromises reveal that many attacks waged against retailers' networks have been successful because of remote-access vulnerabilities. In incidents linked to Backoff, compromise of remote-access portals allowed attackers to install the memory-scraping malware directly to merchants' payment terminals. Backoff, like other memory-scraping malware, steals magnetic-stripe card data collected for the completion of POS transactions.

Backoff has so far been linked by law enforcement to the compromise of hundreds of merchant POS networks, but many more have likely been affected, according to Trustwave, which investigated the attacks.

The alert says recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications, such as LogMeIn Join.me, Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and Pulseway.

But not all of those remote desktop applications have been compromised by Backoff, says Chris Hague, a managing consultant at Trustwave, who's investigating the Backoff intrusions.


Trustwave's Chris Hague speaks about the role information sharing played in detecting Backoff and the number of merchants that have likely been impacted.

And it's not just merchants that are vulnerable to these types of attacks; any business that uses remote access is at risk, Hague says. The best defense is the use of complex passwords and two-factor authentication, he adds.

"In the cases we've reviewed, poor passwords with remote access were to blame," Hague says. "Many companies use remote access, and if you're not using two-factor authentication, it makes it easier for hackers to brute-force those passwords."

Small businesses are most often targeted by remote-access attacks, Hague says, because they typically have the weakest network security protections.

POS Vendor Compromised

In June, Vancouver, Wash.-based Information Systems & Supplies Inc., a POS vendor that caters to the food-service industry, notified customers that a compromise of its LogMeIn account likely exposed card data associated with POS transactions conducted between Feb. 28 and April 18 of this year.

And then this week, the Delaware Restaurant Association notified its membership of a possible LogMeIn compromise that may have exposed card data at a yet-to-be-determined number of Delaware restaurants (see Restaurant Association Warns of Breach).

"We ask that you exercise extreme caution when using remote access and ensure that an individual or company not have access without two-factor authentication," the Delaware association said.

History of Backoff

Variations of Backoff have been linked to compromises dating back to October 2013, the DHS alert notes. "At the time of discovery and analysis, the malware variants had low to zero anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious," authorities point out.

Over a seven-month period, Backoff variants have evolved to include memory-scraping for card data saved to the magnetic-stripe, keylogging, command-and-control communication, and the injection of malicious stubs of code into explorer.exe files, according to Trustwave.

But Andrew Komarov, CEO of cyber-intelligence firm IntelCrawler, says Backoff is similar to other malware. "All POS malware works in a pretty similar way and is based on RAM scrapping," he says.

In May, IntelCrawler announced that it had identified Nemanja memory-scraping malware on POS networks and systems in nearly 40 nations, including the U.S. (see Why More Retailer Breaches on the Way).

"The community should be aware about all of these types of threats; that's why this kind of notification from the FS-ISAC is very helpful for retailers and small businesses," Komarov says. "Skillful bad actors use obfuscation techniques and crypting to hide malware in systems, or they use specific instructions that allow the malware to bypass signature and heuristics detection by AV."

And malware researcher Jaime Blasco, labs director of security start-up AlienVault, says his company identified a similar remote-access brute-force attack a few months ago, one that involved the compromise of Microsoft's Remote Desktop and LogMeIn. Attackers then gained access to POS devices and systems through commonly used usernames and passwords.

"Backoff shows that businesses haven't learned the lesson yet," Blasco says. "The lessons to learn from the latest retailer breaches are: Don't expose critical systems such as POS devices to the Internet, especially if you are running [Microsoft's] Remote Desktop or similar."

Remote Access: A Known Threat

Back in 2011, investigators uncovered a remote software weakness that hackers exploited for nearly three years, allowing them to access the POS networks of more than 150 Subway restaurant franchises and other merchants. And in the spring of 2013, federal investigators traced POS malware that targeted a group of Kentucky and Southern Indiana merchants back to a remote-software vulnerability (see Retailers Attacked by POS Malware).

But Bill Nelson, president and CEO of the FS-ISAC, says what makes Backoff unique is the industry's reaction to it. In short, the payments industry is getting better at information sharing, he says.

"This advisory concerning Backoff malware affecting retail POS systems follows the model that the government and the private sector implemented last year, following a number of retailer data breaches," Nelson says. "On Jan. 16, 2014, we issued a very similar joint advisory with government. ... However, this time there was a much more efficient mechanism to get that information out to the retailer community, through the information sharing mechanism set up by the Retail Industry Leaders Association."

Nelson says the Backoff advisory was distributed by RILA to all of its members; it also was distributed to other retailer associations, including the National Restaurant Association and the National Retail Federation. "All of these retailer associations were then able to redistribute the alert to their members on a timely basis," he says.

"This marks a big improvement to the information-sharing process for retailers," Nelson adds. "Government and other sectors, such as the financial-services sector, now have a direct link to retailers through their associations to distribute these important alerts and advisories. This information will assist retailers in defending themselves against cyber-attacks that target their POS and other payment systems."

Mitigating Risks

To mitigate risks posed by memory-scraping malware, security experts recommend that merchants and businesses:

  • Configure account lockout settings to lock user accounts after a specified number of failed login attempts;
  • Limit the number of users who can log in using remote desktop software;
  • Change default remote desktop listening ports;
  • Require two-factor authentication for remote desktop access;
  • Add an extra layer of authentication and encryption by tunneling remote desktop functions through a secure sockets layer, secure shell or Internet protocol security;
  • Review network firewall configurations and ensure that only permitted ports, services and IP addresses are communicating with the network;
  • Segregate payment processing networks from other networks;
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration;
  • Log events and monitor logs on a daily basis; and
  • Ensure that automatic updates from third parties are validated.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network