The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory warning of fresh point-of-sale (POS) malware named Backoff.
It has warned that variants have been seen as far back as October 2013 and commonly include the capability to scrape memory for track data, log keystrokes, manage command and control (C&C) communication and inject a malicious stub into explorer.exe.
It said: “The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data.
“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”
In an analysis blog, Boatner Blankenstein, senior director of solutions engineering at Bomgar Corporation, pointed at recent stories related to the Delaware Restaurant Association, who notified its 1,900 member restaurants about a possible breach of consumer payment card data that “appears to be linked to LogMeIn, a remote access and systems management provider that facilitates, among other things, file sharing and data backup”, while security bloggerBrian Krebs reported on the Jimmy John’s sandwich chain which was investigating breach claims.
Blankenstein said: “While some of
these remote desktop access connections exist for employees to access their work computer from home, others are set up so IT administrators, outsourcers and vendors can remotely manage and support desktops and other systems.
“It’s especially critical that these connections are secure as they typically include admin-level permissions that hackers can exploit. But even if an end-user is simply using a tool like RDP to access a single desktop, their credentials can be used to install malware on that system. Once that individual PC is compromised, hackers can use it as a launching point to attempt to access more critical systems.”
