Backoff Malware Continues To Be A Growing Threat For Retailers

Media Division | October 31, 2014

The malware that has been used multiple times to steal financial data from retail store customers is apparently on the rise.

According to a research from network security firm Damballa, there has been a 57 percent increase between August and September in systems and devices infected with ‘Backoff’ malware, which scrapes a PC’s RAM for left over financial card data after a credit card is swiped.

The firm based its findings on the data gathered from its enterprise customers and ISP, who use its traffic analysis products for detecting malicious activity. About 55 percent internet traffic was detected from North America, which include DNS requests, but the IP addresses of most of the computers were unknown due to privacy reasons.

Backoff has been highlighted because of its significant role in a number of high-profile data breaches last year, including names like Sally Beauty, Target, Home Depot, Neiman Marcus, and recently Kmart.

The US-CERT issued Backoff advisory warning on 31st July, but even with the DHS warning, which included tips on how to mitigate the Backoff malware, Damballa saw that infections rose a further 27 percent from the start until the end of September.

CTO at Damballa Brian Foster stated that too many retailers continue to rely on traditional antivirus technologies to protect POS systems, even though the DHS advisory has suggested a number of additional measures, such as securing the remote desktop apps hackers have been using to spread the malware and configuring firewalls so they accept communications only from known ports and IP addresses.

Therefore, the creators of the malware can make small alterations to its code to bypass traditional antivirus implementations. The researchers at Damball, to prove how simple modification can be for hackers, tested the Sinowal malware against 55 antivirus products and discovered that 45 products detected it with success.

The researches then altered the Sinowal malware to a Windows Help program file, a process that required less than 2 minutes, and found that only one of the AV products could successfully detect a new file.

Foster said the response of the retail industry to Backoff is a worrying sign ahead of the US holiday shopping season, which is the most lucrative period for attackers to target retail companies, just as Target became a victim in 2013.

“Enterprises haven’t done a good enough job getting their POS traffic to a central point” where it can be monitored for malicious activity, stated Foster. “I’m sure that by the end of this holiday season, antivirus products will be really good at detecting Backoff, but by then, attackers will have moved on to something else.”

What needs to be done?

To starve of the malware, Damballa says companies need to act as if they will be in a continuous state of breach, and make a response strategy accordingly.

“We’d advise enterprises to be prepared, to get ahead by assuming that they will be compromised, and take proactive measures to be ready to remediate,” stated Forster.

POS malware often leads to a high ROI for criminals, who can access thousands of credit card records, much higher than hackers could discover on home computers.

“Fundamentally, these figures show that prevention controls cannot stop malware infections,” Foster said in a statement. “PoS malware and other advanced threats can, and will, get through.”

He continued that organizations need to focus on building better intelligence. Solutions like Massive’s Strixus Global can help retailers detect such malware and threats and operations emerging on a daily-basis with real-time actionable attack intelligence. Such solutions enable companies to take proactive actions to protect the POS and other digital infrastructure.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.