U.S. CERT, Trustwave raise alert on “Backoff” malware

By Erin Ayers on August 4, 2014

malware (1)The Department of Homeland Security’s Computer Emergency Response Team (CERT) this week warned businesses and consumers about a new strain of malware called “Backoff” that has been detected in point of sale systems used by businesses using remote desktop software.

“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements,” stated CERT in an advisory notice. “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”

CERT, working with National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, announced that the most anti-virus software could not detect the malware, although they predicted that with this announcement that would quickly change. Criminals to prey upon businesses using Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me by launching “brute force” attacks against the login feature on the programs and gaining access to administrator accounts to deploy the malware and steal customer payment information.

“The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals,” said US-CERT in its advisory. “Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems.”

Karl Sigler, threat intelligence manager at Trustwave, told Advisen in an email, “In the past month, we have seen nearly 600 businesses, mainly in the retail industry, infected by the Backoff malware. We are currently working on four investigations alone – all in which criminals broke into point-of-sale systems by using stolen credentials to log in through remote access software. The malware then sits on the system, gathers the credit card numbers, encrypts the information and sends it out to servers owned by the criminals.”

Sigler explained that businesses usually buy or rent PoS systems from vendors that use remote access software to fix any technical issues the business may have with the technology.

“Due to weak passwords and the lack of two factor authentication, the criminals were able to get a hold of actual login credentials to the remote access software and plant malware on the system,” he said. Trustwave recommended strong passwords and two-factor authentication to reduce the risk of intrusion.

“It also makes sense to change the default ports used by their remote access software. A lot of the brute force software was simply doing an automated scan for defaults. If they aren’t on those default ports, they may fly under the criminals’ radar,” said Sigler. “Monitoring outbound network traffic either through their firewall or router logs for strange traffic or traffic destined to systems outside their control could help organizations flag malware early.”


Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].