Every now and then hackers develop a piece of malware that is so insidious that it changes the landscape of computer security and acceptable practices. While there are many contenders for this dubious list, CodeRed, Zeus, and now Backoff are certainly worthy of inclusion. In 2001, CodeRed highlighted the need for servers to be patched regularly and to be isolated in a DMZ (demilitarized zone). Introduced in 2007 (with variants still active today), Zeus demonstrated how well organized hacker communities were and how easily man-in-the-middle attacks could be used to compromise sensitive financial data. Today, Backoff is ruining the reputation of many retail businesses and wreaking havoc financially through the theft of credit card data. In fact, Backoff has garnered the attention of the U.S. Department of Homeland Security (DHS).
Wanting to warn retail businesses of the danger of this malware, the DHS released an advisory entitled "Backoff: New Point of Sale Malware." In the document, retailers are warned of how hackers are using this software after they penetrate a point-of-sale network that uses insecure remote access. Specifically, the document mentions Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, LogMeIn, and Join.Me. However, it is important to note that any remote access software that is not managed in a secure fashion could be used to compromise a system. Regardless of the remote access platform that is penetrated, hackers often find that they have administrative privileges on the remote machines once they connect, so it is simple for them to upload the Backoff malware at that point and begin the theft of credit cards.
Backoff works by allowing further remote control of the infected system, grabbing credit card data out of memory, writing files with sensitive authentication data, and transmitting the stolen information using standard HTML posts. There is nothing particularly innovative about how Backoff works, but the completeness of its design and simplicity has allowed some of the biggest credit card thefts in history. Hackers can easily obtain a copy of Backoff from the Internet; it is streamlined so that it causes few issues installing it on a remote machine; and it was well written so that it is extremely effective at stealing data once it is in place.
The key to defeating Backoff is by embracing basic security measures which too many retailers have ignored regardless of initiatives like the Payment Card Industry Data Security Standard (PCI). First and foremost, make sure that remote access is secure. This includes using two-factor authentication, strong passwords, and unique credentials so that activity can be tracked back to a specific user. For VendorSafe customers, this would be our Secure Remote Access SSL VPN. In addition, make sure that you have a good firewall protection program that incorporates limiting both inbound and outbound traffic to the minimum that is necessary. Again, VendorSafe customers receive this service with our Global Security Mesh feature. Whether or not you use security provided by us, you should review your practices to make sure that you are protected.
Malware will continue to be a significant issue for retailers for the foreseeable future, and it is key that retailers become aware of how to secure their environments. It would be irresponsible to ignore the problem or pretend that it could never happen to your business. Software solutions such as anti-virus programs are usually between 6 to 12 months behind major malware releases, so it is necessary to embrace a more holistic approach when looking to protect your business. Taking the proper steps today will help you avoid joining the ever increasing list of businesses who realize that they are a hacker's latest victim, and that is the goal of any security program.
(Photo by Jan Kalab.)
/ Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.