Once again, retailers and consumers are gearing up for the busiest sales season of the year. Not surprisingly, threat actors are gearing up as well.
In our Q3 2014 State of Infections report, we noted a steady rise in Backoff malware detections through August and September. Backoff is the point-of-sale (PoS) malware linked to the breach of Home Depot and other retailers. Cyber criminals have used it to steal millions of credit card numbers and related information. Closing out October, we saw an additional increase of 33% in Backoff malware detections.
Featured Download: Social media access at work. Do your employees know the rules?
The surge of Backoff malware is indicative of the breadth of challenges retailers face when it comes to securing their widely distributed PoS systems. Antivirus and other signature-based prevention tools can’t keep up because malware authors are continually altering the code. A successful intruder can only be caught if the enterprise has a way to detect hidden threats in their network. That is particularly difficult to do with PoS systems because they often connect to local networks, not a corporate network. Security teams have little-to-no visibility into outbound traffic. The longer the malware dwells, the more damage it can do. Consider that Home Depot was breached for five months before discovery.
It’s reasonable to expect to hear about more retail breaches leading into the holiday shopping season. Cyber criminals only need to find one weak link in a very long chain of distributed PoS systems. Security teams have to have proper visibility to know when a compromise occurs. Damballa recommends that retail stores follow basic guidelines provided by US-CERT, which advises retailers with point-of-sale devices “implement tools to detect anomalous network traffic and anomalous behavior by legitimate users.” It’s also essential to get visibility into DNS traffic from POS systems. We cover specific recommendations in our Q3 report.
By Brian Foster, CTO, Damballa
About Damballa
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.