Retailers, beware: cyber crooks are increasingly targeting remote desktop applications by brute-forcing passwords, and are using that access to plant hard-to-detect PoS malware that scrapes and exfiltrates consumer payment data via an encrypted POST request.
The PoS malware family in question is dubbed “Backoff” and has a number of variants. It has been discovered recently, but has been used in attacks against three different retailers since October 2013.
The malware is capable of scraping the memory of POS systems for card track data, logging keystrokes, communicating with a C&C server and receiving instructions, downloading additional malware, exfiltrating the collected data, as well as injecting a malicious stub into the explorer.exe process in order to achieve persistence on the system.
US-CERT has issued a security advisory warning retailers that the “Backoff” malware family are largely undetected by AV vendors, but that detection signatures will be added by them in the coming days, and have urged them to update their AV solutions.
In the meantime, network administrators can apply the provided indicators of compromise to a variety of prevention and detection strategies, as well as implement risk mitigation recommendations regarding remote desktop access and cash register and PoS security (also provided in the advisory).
“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts,” they pointed out.
“It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”