Backoff POS

A strain of Point-of-Sale malware called the Backoff POS was deemed threatening enough to be the subject of an advisory published by the Department of Homeland Security and the U.S. Secret Service. The threatening campaign that deployed the payload continued for over a year, according to the warning by the government agencies. The same advisory also revealed that seven Point-of-Sale system providers and vendors had confirmed that more than 1,000 of their clients impacted by the malware threat. Additional victims will most likely emerge from the private sector. The compromised entities could be of all sizes.

The Backoff POS is quite effective in exfiltrating sensitive payment data from businesses. The threat uses a whole range of different techniques in order to obtain customer payment details or credit card information. It can conduct RAM scrapping, establish keyloggers and inject code into legitimate processes already running on the infected device. For example, once inside the breached Point-of-Sale device, the Backoff POS injects code into the 'explorer.exe,' enabling it to scrape the memory of the device and harvest credit card numbers before they are enciphered and sent to the payment processor. A backdoor channel is initiated by the malware threat through which it exfiltrates the collected data. The code injection also is responsible for initiating the Backoff POS's persistence mechanism that allows the threat to continue its nefarious actions in the event that it is stopped forcefully or a crash has occurred. The Command-and-Control (C2, C&C) infrastructure for the campaign allows the hackers to not only receive the data stolen by the Backoff POS but also to deliver updates to the malware, tell it to download and execute additional malware payloads, or to delete itself if the criminals want to wipe their tracks.

Organizations should take the necessary steps to strengthen their defenses against threats like Backoff. One of the most effective methods is to avoid using default, weak or popular passwords for necessary account credentials or authentication steps. Indeed, the initial attack vector of the Backoff campaign through the payload gained access is to brute-force the credentials for a remote desktop or administration application.