Backoff and BlackPOS Malware Hammers More Retailers and Restaurants

FrankCrastCo-founder and CEO
The month of August was another action packed month for hackers and a security nightmare for many retailers and restaurant establishments. Some of the more notable data breach victims this past month included supermarket giants SUPERVALU and Albertsons, UPS Stores and restaurant chains P.F. Chang's and Dairy Queen, to name a few. Many small merchants have also been warned of the elevated PoS malware threat.

Several strains of malware Backoff and BlackPOS that target Point-of-Sale (PoS) systems are the root of many of the retail breaches. Kaspersky Labs further describes how the RAM scraping malware can be so lethal as it pilfers credit card data before it is encrypted on the PoS device or server. Payment card data on certain PoS devices can be exposed as the card data is briefly decrypted and stored in random access memory in plain-text for payment authorization purposes.

In this article, we will outline a chronology of recent events and some lessons learned, starting with an earlier warning from DHS about the Backoff malware. The report soon proved to be an accurate forecast of what was soon to come as more retailers reported infiltrations of malware that led to data breaches.
DHS Warns of Backoff Malware
On Tuesday, July 31st, the U.S. Department of Homeland Security (DHS) warned that new Point-of-Sale (PoS) malware had been detected. The report, "Backoff: New Point of Sale Malware" was quickly circulated throughout the security community in the first week of August. 

According to DHS, the malware targets PoS devices by targeting systems running a variety of remote desktop programs to include the popular Windows Remote Desktop (RDP) and Apple Remote Desktop. The malware had been spotted in several recent forensic PoS data breach investigations. This warning proved to be prophetic (or at least accurate) as more data breaches related to Backoff (or other strains of PoS malware) were later revealed throughout the month.
P.F. Chang's Restaurants Breached
On August 4th, credit card data was stolen from 33 P.F. Chang's China Bistro's restaurants. The company CEO issued a statement on the security compromise: 
"Since being alerted to the security compromise that we believe may have affected certain domestic P.F. Chang's China Bistro restaurants, our team has worked continuously to investigate the security compromise and to ensure the security of our guests' credit and debit card information. The security compromise has been contained and P.F. Chang's has been processing credit and debit card data securely at all locations since June 11, 2014.
We have identified certain P.F. Chang's China Bistro branded restaurants in the continental United States where we believe certain credit and debit cards used during specified time frames may have been compromised...No Pei Wei branded restaurants have been affected by this security compromise."

Another restaurant chain, Dairy Queen, would later report a data breach that may have been related to the Backoff malware. The company was still investigating and working with authorities to determine the full extent of the breach.  
SUPERVALU and Albertsons Supermarkets Hit
In mid-August, grocery giants Albertsons stores and SUPERVALU warned of potential data breaches on or around Thursday August 14th. AB Acquisition LLC, operator of Albertsons, ACME Markets, Jewel-Osco and Shaw's and Star Markets, issued a press release that intruders gained unauthorized access to customer payment card information between June 22 and July 17, 2014. The alleged breach also affected its third party IT services provider, SUPERVALU, who also operates several other major grocery brands. Both companies were allegedly compromised by Backoff malware or similar strains of PoS malware. 
Target: Breach Has Big Impact on Bottom Line for 2014
On Wednesday, August 20th, Target cut its full year outlook for 2014 after the Q4, 2013 breach of 40 million customer credit cards. Some of the financial impacts from the breach were included in a company press release
  • Since the data breach in fourth quarter 2013, the Company has incurred total net breach-related expenses of $146 million, reflecting $236 million of gross expenses, partially offset by the recognition of a $90 million insurance receivable.
  • Year-to-date net pre-tax data breach expenses of $129 million, or (13) cents per share.
  • Net pre-tax data breach expenses of $111 million, or (11) cents per share.

As noted, the expenses are huge and most likely does not include potential brand damage and loss of customer trust. Earlier in the year, Brian Krebs reported that the malware used in the Target attack was known as BlackPOS, "a specialized piece of malware designed to be installed on PoS devices and record all data from credit and debit cards swiped through the infected system." Update 9/7: Brian Krebs reported that BlackPOS was the same malware used in the most recent Home Depot breach recently discovered. 
Data Breach at 51 UPS Stores
On the same day, August 20th, UPS Stores discovered that 51 of its stores across 24 states were breached as early as March and as late as August 11th. Later that same week on Friday, the Backoff malware was deemed the culprit according to a report in The New York Times. 

Homeland Security and The Secret Service issued the advisory, "Backoff Malware: Infection Assessment," on August 22nd and warned that nearly 1,000 U.S. businesses may have been infected with the Backoff malware, the same or similar form of PoS malware that had allegedly infected numerous large retailers, such as Target, Supervalu and UPS Stores. According to the DHS advisory, seven Point of Sale (PoS) vendors had reported that multiple clients were affected.
New Variations of Backoff and BlackPOS Spotted
On August 25th, Trustwave discovered new variants of Backoff called  â€œWed” and version “1.57” in the wild in late July. Similar to other strains, the malware scrapes memory from running processes on PoS devices in order to steal credit card data. Trend Micro Labs found another strain of BlackPOS that targets retail accounts and "disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems."
It is no telling whether these variants will have as much impact on the retail sector as previous strains.
Next Steps to Combat PoS Malware
In conclusion, PoS malware such as Backoff and BlackPOS have been around for some time and in some cases date as far back as 2008. It highlights just how proactive companies will need to be in preventing and detecting such threats in the future. 

Some protective safeguards to protect against PoS malware can include: 
  • Isolation and segmentation of PoS systems from other networks and use of firewalls
  • Security monitoring software such as advanced anti-malware
  • Whitelisting software to prohibit unauthorized software from running/installing
  • Use of two-factor authorization used for remote access of systems
  • Strong access controls to restrict access to least privilege and sound password management.

Small business must also understand the dangers of using systems for both PoS and "general business purposes" that may be a prime target for attackers when those systems are not thoroughly protected. DHS strongly encourages merchant of all sizes to scan their systems for possible malware compromise and lock down remote access and PoS systems.

More guidance on PoS system security can be found here

This article was originally published on
FrankCrastCo-founder and CEO

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.