Combating the Looming Threat of Backoff POS Malware

By Kevin Watson

Following the flood of recent data breaches, many may be wondering how or why companies are still inadvertently allowing data to be compromised, despite the vast security measures available to them today.

The truth is that many blackhats looking to enter a system identify insecure remote access. In fact, the Department of Homeland Security brief on Backoff malware points out that of the 1,000 or more businesses affected, the majority were compromised through the use of remote access lacking sufficient security measures.

Hackers search for inconsistencies, and once located, it’s just a matter of moments before they can connect to machines remotely, many times gaining administrative privileges in the process. Once they have these privileges, it’s easy for them to download the Backoff malware on the machine in order to send credit card data to their destination of choice.

Gaining access however is only one step of the hacker's overall goal — retrieving sensitive information from systems with malicious intent.

Backoff lets criminals remotely control the infected system, seizing credit card data out of memory, writing files with sensitive authentication data, and transmitting the stolen information using standard HTML posts. This has led to some of the biggest credit card thefts in history.

Protecting Against New and Unknown Threats
The first version of Backoff sent data in clear text, which could be identified by an intrusion detection system (or network sniffer). These tools examine the data traveling over a network and can detect credit card data, preventing malicious traffic from being sent from a point-of-sale (POS) system.

Clever cybercriminals stay a step ahead, however, by creating new and enhanced versions of malware and attack techniques. Need proof? The latest version of Backoff, Backoff ROM, was updated to encrypt outbound credit card data, making the previous sniffer detection and prevention methodology ineffective. To a network sniffer, encrypted data appears as gibberish, removing any recognizable patterns.

It typically takes several months for security and anti-virus providers to identify new strains of viruses and react through incorporating added protection into their products and services. Factoring in the time and effort needed to fully deploy the updates, the affected systems have now been unprotected with out-of-date software for months.

The glaring issue here is that software solutions, such as anti-virus programs, are usually between six months to 12 months behind major malware releases, and therefore, not enough to protect against sophisticated threats. It's necessary for companies to embrace a more holistic approach when looking to protect their businesses.

Maintaining an effective defense against all vulnerabilities, new and unknown, along with forward-thinking initiatives to protect against other modes of cyberattack, requires techniques that focus on blocking the behaviors that attackers use, rather than any one specific attack or malware.

Firewall installation and proper configuration are integral parts to security, but what happens when the firewalls aren't set up correctly? Many SMBs rely on internal IT teams lacking the security expertise or discipline required to continually monitor firewall security, keep abreast of the latest threats and make the adjustments necessary to thwart attacks. A large portion of these businesses mistakenly believe a firewall can be set up once and will continue to provide adequate protection for an infinite amount of time.

Effective firewall protection requires a combination of continually updated technology complemented by expert monitoring and adjustment. Firewall protection falls short when businesses fail to initially configure their firewalls properly, or when they deploy firewalls that may lack particular modes of protection necessary to thwart attacks like Backoff.

Having a dedicated security expert managing your firewall can make the difference between a costly breach and a bullet-proof defense. A security expert will be able to recognize when an unusual event has occurred, investigate to determine the level of danger posed by the event, and then take the appropriate measures to ward off present and future attacks. A common complaint surrounding data security is that the steps required to maintain protection tend to interfere with efficiency, thus causing employees to blur the line or even outright circumvent the security measures, which easily leads to a break down in the overall protection of the network quite quickly.

This isn't to say that you have to compromise efficiency for security. What is closer to the truth is the need for understanding throughout the company on why security initiatives and processes were determined as best practices in the first place, and continuing to follow through with them.

Protecting Your Business
Some of the methods that protect against Backoff are fairly basic security measures, which too many retailers have ignored. These methods are recommended regardless of initiatives like the Payment Card Industry Data Security Standard (PCI-DSS).

First and foremost, verify your remote access is secure. This includes using:

two-factor authentication;
complex passwords;
unique credentials; and
log access.

In following the advice above, you're ensuring that passwords in place are sufficient to deter the time and energy to crack, especially considering that two-factor authentication is an added security measure hackers rarely have direct access to view. In using a single user per username, or unique credentials, activity can then be tracked back to a specific user.

In addition, developing a proper firewall protection program that incorporates limiting both inbound and outbound traffic to the necessary minimum is critical. Consistency in reviewing your practices and updating when necessary is key to make sure that you are, and stay, protected.

Proper management of security and consistent maintenance should be the goal of any security program. Malware will remain a significant issue for businesses that accept credit cards in the foreseeable future, and it's essential that all businesses are aware of how to secure their environments. Taking the necessary steps now will help keep your company’s name off the long list of retailers that have fallen victim to a hack attack.

Kevin Watson is the CEO of Netsurion, a provider of data security and computer network management services for multilocation businesses.