Alert: Beware POS Malware BackoffCERT-In Issues Alert, Offers Mitigation Tips
Taking cues from the United States Secret Service and Department of Homeland Security, CERT-In has issued an advisory about the Backoff point-of-sale malware, which is said to have infected more than 1,000 U.S. merchants.
Experts note that there are no reported cases of Backoff infections in India so far, but caution against organizations taking a complacent attitude.
"The malware propagates by scanning for systems with remote desktop applications enabled," the advisory says. "Successful compromise allows the attacker to infect the system further with the POS malware that can steal customer payment card data."
Similar to other POS malware such as Scraper, Dexter etc., Backoff uses a technique known as "RAM Scraping" to steal credit card and transaction information for malicious purposes. Backoff has been linked to numerous remote-access attacks on POS systems, especially on small merchants in the U.S. In a typical attack, hackers exploit remote-access vulnerabilities on POS systems to install the malware and exfiltrate data.
Backoff is known to be capable of scraping memory for track I and II data, logging keystrokes and injecting a malicious stub into explorer.exe to maintain persistence. Backoff has five identified variants and has been implicated in the recent UPS Stores breach as well, although UPS has yet to confirm that the malware was indeed Backoff.
In response to queries from Information Security Media Group, a senior official at CERT-In says the advisory was released in response to the malware activities emerging globally. Although there are currently no reported incidents from India, CERT-In has advised organizations, merchants and users to take appropriate precautions to prevent infections and card data leakage.
The CERT-In official says merchants and banks deploying POS systems and online services need to assess the risk of compromise of their networks. While adopting security best practices and conducting periodic audits will help in mitigating the risk, the systems need to be segregated according to their criticality. Applications and services that are essentially needed should only be enabled on critical systems.
CERT-In notes that administrative privileges to user accounts need to be judiciously provided, and appropriate devices such as IPS, firewalls and UTM should be deployed and monitored at the perimeter of networks.
Some salient points in the advised countermeasures include:
- Keep all POS systems thoroughly updated;
- Watch for incorrect login attempts, and monitor authentication logs for repetitive failed login attempts;
- Allow RDP login on an as-needed basis;
- Ensure that the networks where POS systems reside are properly segmented from the non-payment network.
Wait and Watch
Dharshan Shantamurthy, CEO at Bengaluru-based SISA, a compliance services and training provider, says that it is a wait-and-watch situation in India. CERT-In had released another notification around the BrutePOS malware in August, but there are no reported breakouts, he notes. The immediate solution that SISA has suggested to its clients is to ensure that none of these POS systems can be accessed remotely.
"The challenges facing mitigation are threefold," Shantamurthy says. "Lack of awareness and use of outdated and legacy systems by small and medium merchants exacerbates this risk, in addition to the fact that most of these systems do not reside on segmented, secure networks."
Vendors have yet to release a Backoff patch. Until they do, the industry needs to tread carefully, he cautions.
Prateek Rastogi, managing consultant at Trustwave, the firm originally credited with discovery of Backoff, advises organizations to revisit their payment security programs and consult with their IT security and point of sale (POS) vendors, banks and payment partners, as a matter of urgency. Ensuring proper implementation and maintenance of the security controls outlined in PCI DSS will help, he says.