Backoff Point-of-Sale Malware: Here We Go Again

The Secret Service, the National Cybersecurity and Communications Integration Center, and others announced yesterday in a US-CERT Alert (available at www.us-cert.gov/ncas/alerts/TA14-212A) that recent investigations have revealed the use by malicious actors of malware—dubbed Backoff Point-of-Sale Malware ("Backoff")—to pilfer consumer payment information from point-of-sale terminals. Backoff is another in a seemingly endless array of new tools used by such actors to gain unauthorized access to consumer credit/debit card account information from point-of-sale terminals, and it requires an immediate response. 

According to the Alert, malicious actors have attacked what are known as remote desktop applications ("RDAs"), common software tools that allow access to a computer from another location. Such applications are necessary for companies that maintain IT support in a centralized location but that have numerous point-of-sale terminals in disparate locations such as malls, retail stores, etc. The malicious actors use brute force techniques, including entering at login all combinations of usernames and passwords until finally guessing the correct set, to access administrative and other accounts. The actors then deploy Backoff to acquire a variety of payment- and consumer-related data, including customer names, mailing addresses, credit/debit card numbers, phone numbers, and email addresses. 

Backoff includes several variants that have been in use from October 2013 to today. The variants are generally capable of (i) scraping memory from the infected computer, (ii) recording keystrokes typed by users of the infected computer, and (iii) uploading data to a central malware controller, updating the malware itself, and uninstalling the malware in an effort to avoid detection. 

There are certain obvious implications inherent to the loss of data targeted by Backoff, most notably the obligation companies have to report the loss of data to affected consumers and the impact to company brand and reputation. However, companies can take certain technical steps to mitigate any related harm and potential liabilities. First, as disclosed in the Alert, certain Backoff indicators, provided in Tables 1–5 below, can be used by a company's network security team to search for the existence of Backoff on company systems. Kroll, a premier provider of end-to-end cybersecurity services, additionally advises a defense-in-depth mediation strategy that includes the following initial and subsequent steps (described for IT personnel in a technical manner):

Initial Steps

• Change the communication ports at which the RDA listens to accept connections.
• Limit the number of failed login attempts and trigger a lockdown of the RDA upon the requisite number of failures.
• Allow the point-of-sale terminal to accept communications from known IP addresses only (the so-called whitelist approach).
• Require multi-factor authentication to start all RDA sessions.
• Require RDA connections to be made using secure communication methods.
• Use an RDA gateway to control access.

Subsequent Steps

• Implement monitoring on the point-of-sale terminals that track all changes made to file structure, etc.
• Review all point-of-sale software updates from vendors before they are installed.
• Maintain centralized reporting for all changes to point-of-sale terminals.
• Track and limit outbound traffic from point-of-sale terminals, and have your IT response team check such traffic regularly!

We anticipate that affected companies will learn of their status from the Secret Service in the coming weeks, and a company's response will necessarily need to be thorough and swift in order to satisfy all applicable legal requirements. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Richard J. Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com

Jonathan Fairtlough, Managing Director and Deputy Practice Leader for Kroll Cyber Security, contributed to this Alert. Jonathan can be reached at 213.598.4181 or at jfairtlough@kroll.com.

The following tables include certain Backoff indicators that can be used by a company's network security team to search for the existence of Backoff on company systems.

TABLE 1 – Indicators for Backoff Variant 1.4

TABLE 2 – Indicators for Backoff Variant 1.55 "backoff"

TABLE 3 – Indicators for Backoff Variant 1.55 "goo"

TABLE 4 – Indicators for Backoff Variant 1.55 "MAY"

TABLE 5 – Indicators for Backoff Variant 1.55 "net"

TABLE 6 – Indicators for Backoff Variant 1.56 "LAST"