The success of the Backoff remote access Trojan (RAT) paints a very bleak picture of the state of point-of-sale security, according to Kaspersky Lab.
In an evaluation, Kaspersky Lab said that after sinkholing two servers, it has seen more than 85 victims connecting to its sinkhole, and its sinkhole covers less than five per cent of the command and control (C&C) channels.
“Taking into account the U.S. Secret Service statement, it’s a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000,” it said.
“Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defences running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cyber criminals are sure to have taken note.”
Kaspersky confirmed that it sinkholed two servers that Backoff samples used to communicate with their masters that were compiled between January – March 2014.
Dr. Mike Lloyd, CTO of RedSeal, said: “The significance of the so-called ‘Backoff’ malware is that it reminds businesses and consumers that all our infrastructure is connected now. In the past, there were air gaps – ATM machines weren’t on the same network as point of sale devices, and all the banking infrastructure was separate from the power companies.
“However, the spread of Internet connectivity (including the Internet of Things) means the old and lazy assumption of ‘you can’t get there from here’ is out the window. Defence is now about controlled network segmentation— making sure you take the trouble to build perimeters around the assets you must defend. This is harder than old-world air gap-based defences, and requires constant oversight to look for holes in the virtual fence.”
Jérôme Segura, senior security researcher at Malwarebytes, said: “In late July, the Computer Emergency Readiness Team (US-CERT) issued a warning about the Backoff point-of-sale malware in an effort to provide technical details as well as recommendations for affected businesses. While at the time it wasn’t clear how widespread the problem was, we now know that more than a thousand US companies have been hit since October 2013.
“This allows us to connect the dots between the recent data breaches affecting retailers that had one thing in common: The Backoff malware. Attackers relied on insecure networks that could be penetrated through brute force attacks via remote desktop applications. Once in, the Backoff malware, which was invisible to antivirus products, could start burying itself into the system and wait for the next card swipe into the PoS computer.
“In addition to keeping their PoS systems updated and running security solutions such as antivirus and anti-malware, companies need to review their remote access policies, segregate their networks and have network traffic tools to detect potential data exfiltration.”