On Monday, the US-CERT (United States Computer Emergency Readiness Team) issued an updated advisory, warning that the ‘Backoff’ Point-of-Sale malware continues to evolve. And just today, UPS confirmed that it is the newest likely victim of Backoff. US-CERT has now seen five variants of ‘Backoff’, each with notable modifications, and the malware has been found in at least three separate forensic investigations. They note that the variants are largely undetected by AV vendors, and recommend that in lieu of such protection, organizations should monitor for ‘indicators of compromise’ (IOCs) to determine if they have been infected.
Point-of-Sale (POS) systems continue to be an attractive target to highly sophisticated criminal gangs, because they are the gateway to a treasure of customer data, including full credit card information. They are also usually under-protected, when compared to typical enterprise systems that reside in a data center or corporate network.
We expect that as criminals have gained greater success in exploiting these systems (at Target, Niemen Marcus, Michaels, etc), they will continue to invest significant ‘R&D’ resources into creating not just new variants of existing POS malware, but entire new families that can remain undetected for longer periods of time. Until the transition to EMV (Chip and PIN) for credit card transactions gains widespread adoption, POS malware will continue to deliver a high ROI for its creators.
The real key here is to have a layered approach, which will make the cost of stealing credit card information much higher and much more difficult for criminals, and will identify IOCs faster and more effectively. There are several ways businesses can go about doing this:
- Retailers may want to consider investing in a black-market monitoring service which provides early warnings of massive credit/debit card breaches that are driven by POS malware (like the Target breach was). Any data that is collected via malware on POS terminals will quickly end up on the black market. Black-market monitoring can mitigate losses, and also serve as an indicator that a severe infection is going on. By proactively monitoring for indicators of compromise, institutions can take additional steps to shutdown threats before they result in system wide compromise.
- Additionally, credit card monitoring can be very useful for financial institutions call centers as fraudsters tend to verify card information and gain additional information on the card’s owner that they just purchased from those black markets.
- Eventually retailers should look to enforce end-to-end encryption from the keypad all the way to the issuing and acquiring of networks to make sure there is no clear text in personal information ever available to malware, this includes tokenization, chip and pin, etc.
For additional recommendations on how retailers can protect themselves from emerging POS malware and its variants, check out our blog from earlier this year.