In August the U.S. Department of Homeland Security issued an advisory for the Backoff point-of-sale malware campaign, which the government agency claimed may have infected more than 1,000 U.S. businesses to that point. A similar advisory was issued by the FBI at the beginning of this year against other RAM-scraping malware variants, but despite those warnings, new research now shows that attackers are continuing to utilize Backoff to a devastating effect.
For its Q3 State of Infections Report, advanced threat detection vendor Damballa monitored for Backoff malware infections among enterprise customers that allow the vendor to scan their POS traffic. Though it has been described by security experts as a fairly standard variant of RAM-scraping POS malware, Backoff has become noteworthy due to its reported role in a number of high-profile retail breaches over the past year, including Neiman Marcus, Sally Beauty Supply, P.F. Chang's and most recently Dairy Queen.
According to Damballa's research, those retailers are just a drop in the bucket when it comes to the number of potential Backoff victims. The vendor spotted a 57% increase in Backoff infections from the beginning of August -- the US-CERT issued the first Backoff advisory on July 31 -- until the beginning of September. Even with the DHS warning, which included instructions for retailers on how to mitigate Backoff, Damballa found that infections rose a further 27% from the beginning until the end of September.
Damballa CTO Brian Foster said that too many retailers are still relying on traditional antivirus technologies to keep POS systems safe, even though the DHS advisory suggested a number of additional precautions, including securing the remote desktop applications being used by attackers to spread Backoff and configuring firewalls to accept communications from only known IP addresses and ports.
As a result, Backoff's authors can continue making small alterations to the malware's code in order to bypass antivirus products. To prove how simple that process can be for attackers, Damball's researchers tested the Sinowal malware against 55 AV products and found that 45 were able to detect it. The researchers then altered the malware by Sinowal to a Windows Help program file, a process that took less than two minutes, and found that only one of the 55 AV products could detect the new file.
Brian FosterCTO of Damballa
Foster noted that the retail industry's response to Backoff is especially worrying ahead of the U.S. holiday shopping period, which is the most lucrative period of the year for those companies, but not if they are attacked like Target was in 2013.
"Enterprises haven't done a good enough job getting their POS traffic to a central point" where it can be monitored for malicious activity, said Foster. "I'm sure that by the end of this holiday season, antivirus products will be really good at detecting Backoff, but by then, attackers will have moved on to something else."
Foster urged retailers to rethink how they are securing POS environments, and to increase what have typically been paltry security budgets -- earlier this year, advisory firm IDC Retail Insights pegged U.S. retail security spending at 2% of overall tech budgets per store.
From a consumer perspective, Foster said that mobile wallet options like the newly launched Apple Pay platform, Google Wallet and others are likely to provide a more secure shopping experience ahead of using payment cards. Consumers should also pay close attention to bank and credit card statements for any unusual activity, he noted.
Above all else, Foster encouraged consumers to act with their wallets and punish retailers that haven't implemented the necessary security measures to fend off Backoff and the other POS malware variants that are sure to arrive.
"When you look at Target and their earning statements post-breach, they claimed big hits in their business, but then we continue to see all these other retailers get hit," said Foster. "So I would like to see consumers hold the retailers accountable for protecting their data."
Backoff may be stealing headlines at the moment, but it's hardly the only point-of-sale malware variant that retailers need to worry about. Home Depot, who suffered one of the largest retail breaches ever, said it was victimized by previously unknown malware. The FBI's warningfrom earlier this year also put a spotlight on other POS malware variants like Alina.