A Q&A with Karl Sigler of Trustwave
The Secret Service estimates that there have been over 1,000 data breaches at point-of-sale (POS) systems via Backoff malware. I asked Karl Sigler, Threat Intelligence Manager of Trustwave and a member of the team that initially identified Backoff to explain this insidious malware and why retailers should be concerned about it.

Can you explain what the Backoff malware is and how it works?
Backoff is malware that gets installed on Windows-based POS terminals. It does many of the typical things we see in POS malware—it grabs and sends off credit card numbers, monitors keystrokes (for instance, if a cashier types in a credit card number), and it also scrapes the system’s memory for any credit cards that might have been processed by software rather than added via a keyboard. Then it uses what looks like web browsing traffic to send this information to servers controlled by criminals.

It has been reported in the past that RAM Scraper malware was used by to exploit, access and steal credit card data at larger retailers. Is this the same thing as Backoff?
Pretty much all of the POS malware works in the same way. Whether it is Backoff or other PoS malware families like Dexter or Alina, they all pretty much have the same features I described before, such as monitoring key strokes and scraping the memory for data.

How do the bad guys actually install the malware in the POS network?
That’s really the worst thing about this malware, in my opinion. The perpetrators use a very simple attack vector to install it—much simpler than SQL injection or even advanced phishing. Most of the POS systems are either purchased or rented from a vendor that specializes in nothing but these systems and merchants will often hire the same company to install and manage the system remotely. In many cases the software is never properly locked down and it’s publicly available. All a criminal needs is an automated software tool to scan for the systems and guess the password. Once they have the log-in, they have the same administrative rights a technician has and they then have access to install the malware.

How did Backoff evade what one would assume would be relatively tight security at the major retailers that were attacked?
The idea that retailers have relatively tight security and don’t rely on third party vendors is an assumption. Many retailers have large gaps in their security and most use third party vendors to some extent. But, in the end, if one avenue is cut off for criminals, they will try other paths. For instance, there have been major breaches where the criminals infiltrated the businesses’ third party custodial/cleaning services. They used the physical access gained after hours with minimal oversight to infect critical systems with malware.

The biggest issue is that until you know what it looks like you don’t always know what to look for

How can a company detect Backoff before it does damage and/or mitigate any exposure going forward?
Implementing even the bare minimum of best security practices would eliminate the potential for Backoff to get into the system—in other words, strong passwords on POS systems or even two-factor authentication. POS system access should be limited only to vendors and technicians. Monitoring the system for anomalous traffic would help flag an attack early on. For instance, if you see the POS system connecting to a server in another county that should raise a red flag. Too often vendors are more concerned with software functionality than with its security and if you don’t have that expertise in-house it can be difficult to sort this out. If that’s the case, then engaging a third party that specializes in security audits and monitoring may be your best bet.

How difficult is it to eradicate the malware once found?
The biggest issue is that until you know what it looks like you don’t always know what to look for, and the system appears to operate normally. It really goes under the radar. Since the IoCs (Indicators of Compromise) were only just released in July, even with skilled personnel and tight security, no one knew what to look for in most cases. Once detected, it’s actually easy to get rid of—especially compared to other malware we’ve seen in the past—because it installs itself in a couple of places and copies the keys to the registry to make sure it always gets restarted on reboot. When those registry keys are identified an admin can delete them and any associated files immediately.

In Summary…
Karl did a terrific job summarizing a major POS threat and a continuous (and growing) worry, both for retailers trying to safeguard their customer credit card data, and the many insurance carriers that cover cyber liability risk. It seems that the retail industry in particular draws especially sophisticated attackers, with new zero-day attack vectors impacting this industry on a weekly basis.

In a related vein, please see the Junto interview with Verizon’s Chris Novak, who talks about POS issues and PCI’s challenging task of addressing the newest threats in each version of the data security standards. “…Because PCI is a compliance standard it can only address the known issues. That means it lags behind the threats and risks of the real world because perpetrators will always find the holes…”

And finally, see the interview on ‘PCI 3.0’ security standard updates by Greg Rosenberg of Trustwave, which impacts any retailer who outsources their processing.