Nearly 600 business impacted by POS malware attack

Hijacked RDP access led to POS infections by Backoff malware

credit card reader
Credit: Thinkstock

The United States Secret Service, working with Trustwave, has discovered a series of attacks in the retail sector, which uses customized malware to infect POS systems. The crime itself isn't overly technical, as the criminals behind it use poorly defended remote access points to target a POS terminal and infect it.

According to a US CERT advisory, the attackers are targeting poorly protected instances of RDP, including services from Microsoft, Apple, Chrome, Splashtop 2, Pulseway, LogMeIn, and Join.Me.

Once the RDP resource is located, the attackers behind these recent campaigns brute force the account password – if one even existed – and install the POS malware.

The attacks have been ongoing since October 2013 and continue to operate in some parts of the country. Until AV vendors update signatures, the malware used in these attacks is largely undetected.

Trustwave, which has been assisting in the investigation, has seen at least three variations of the POS malware (called Backoff) itself since they took on the case.

Once installed, the malware scrapes memory for card track data, logs keystrokes, and communicates externally with a command and control server for additional instructions. A compromised POS system can expose credit and debit card data, names and addresses, as well as any other information that is stored on the system.

"In the past month, we have seen nearly 600 businesses, mainly in the retail industry, infected by the Backoff malware. We are currently working on four investigations alone - all in which criminals broke into point-of-sale systems by using stolen credentials to log in through remote access software. The malware then sits on the system, gathers the credit card numbers, encrypts the information and sends it out to servers owned by the criminals," commented Karl Sigler, the Threat Intelligence Manager at Trustwave.

"Businesses typically purchase or rent PoS systems from vendors that specialize in the technology. After installing PoS systems for a business, vendors often use remote access software to help the business fix any technical issues it may have with the technology. Due to weak passwords and the lack of two factor authentication, the criminals were able to get a hold of actual login credentials to the remote access software and plant malware on the system."

Earlier in this month, a Vancouver, Washington-based POS and security systems provider, Information Systems & Supplies Inc., notified customers that a remote-access compromise could have exposed card data. According to a letter that IS&S sent customers, the attackers targeted LogMeIn accounts.

Offering some essential advice to retailers who might be impacted by this incident, or are concerned that they could be impacted, Sigler said that the first step is to secure access.

"Since the initial foothold was via poor passwords on the remote access software, strong passwords are essential and moving to two-factor authentication could drastically reduce their risk," he said.

"It also makes sense to change the default ports used by their remote access software. A lot of the brute force software was simply doing an automated scan for defaults. If they aren't on those default ports, they may fly under the criminals' radar."

Moreover, monitoring outbound network traffic, either through a firewall or router logs, and looking for anomalies or traffic destined to systems outside their control, could help organizations flag malware early.

Finally, the aforementioned US CERT advisory details several mitigation steps and protective measures organizations can take.

Such steps include enabling lockout measures, limiting the number of authorized users for a given workstation, and limiting the account permissions by restricting administrative access.

In nearly every case, the infected POS had remote access enabled for an account with administrator rights, allowing the attackers free access to install anything they wished.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.