US-CERT Updates Point-of-Sale Warnings – Backoff Malware Variants Continue to Evolve

By   ISBuzz Team
Writer , Information Security Buzz | Sep 10, 2014 05:04 pm PST

A few weeks ago, the US-CERT (United States Computer Emergency Readiness Team) issued an updated advisory, warning that the ‘Backoff’ Point-of-Sale malware continues to evolve. More recently than that, UPS confirmed that it is one the most recent victims of Backoff. US-CERT has now seen five variants of ‘Backoff’, each with notable modifications. (Backoff has also been found in at least three separate forensic investigations.) They note that the variants are largely undetected by AV vendors and therefore recommend that organizations monitor for ‘indicators of compromise’ (IOCs) to determine if they have been infected.

FREE Download: CISO Data Breach Guide

Point-of-Sale (PoS) systems continue to be an attractive target for highly sophisticated criminal gangs because they constitute a gateway to customer data, including credit card information. They are also usually insufficiently protected, especially when compared to typical enterprise systems located in data centers or corporate networks.

As criminals have gained greater success in exploiting PoS systems (at Target, Niemen Marcus, Michaels, etc.), we suspect they will continue to invest significant resources into creating not just new variants of existing POS malware but also entire new families that can remain undetected for longer periods of time. Until we as a society (or world) at large embrace the transition to EMV (Chip and PIN) for credit card transactions, POS malware will continue to deliver a high ROI for its creators.

The real key here is to have a layered approach that will make the cost of stealing credit card information much higher for criminals and which will help identify IOCs faster and more effectively. There are several ways businesses can go about doing this:
– Retailers may want to consider investing in a black-market monitoring service which provides early warnings of massive credit/debit card breaches that are driven by POS malware (like the Target breach was). Any data that is collected via malware on PoS terminals will quickly end up on the black market. Black-market monitoring can mitigate losses and also serve as an indicator if a severe infection is underway and spreading. By proactively monitoring those indicators , institutions can take additional steps to counter threats before they result in a system-wide compromise.

– Credit card monitoring can be very useful, especially for financial institutions call centers, for fraudsters tend to verify and gain additional information about the card they just purchased on the black market.

– Eventually retailers should look to enforce end-to-end encryption in order to make sure there is no personal information ever displayed in clear text. This includes adopting tokenization, chip and pin, etc.

For additional recommendations on how retailers can protect themselves from emerging PoS malware and its variants, check out our blog from earlier this year:

By Damien Hugo, Product Manager, Easy Solutions

About Easy Solutions

easy_solutions_logoEasy Solutions is the only security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from anti-phishing and secure browsing to multifactor authentication and transaction anomaly detection, offering a one-stop shop for multiple fraud prevention services.