Newly discovered malware known as Backoff has been linked to numerous remote-access attacks on point-of-sale systems involving smaller merchants. An alert from the Department of Homeland Security, the Secret Service and the Financial Services Information Sharing and Analysis Center notes that Backoff is a recently discovered family of POS malware that has now been identified in at least three separate forensic investigations.
The alert goes on to say that Backoff has so far been linked by law enforcement to the compromise of hundreds of merchant POS networks, but many more have likely been infected and are presently unaware of this malware lurking on their system. Small businesses are most often targeted by remote-access attacks because they typically have the weakest network security protections. Chris Hague of Trustwave, who first identified and named Backoff, says "In the cases we've reviewed, poor passwords with remote access were to blame. Many companies use remote access, and if you're not using two-factor authentication, it makes it easy for hackers to brute-force those passwords."
The typical Backoff attack involves exploitation of remote-access vulnerabilities such as weak passwords. With compromised remote-access credentials, attackers then infiltrate the point-of-sale system through a remote portal where they then install Backoff. This malware gathers cardholder and other transactional data and then initiates a process to withdraw the data back to the originating hacker. According to the Department of Homeland Security, some of the most vulnerable applications to this form of compromise include Apple Remote Desktop, Chrome Remote Desktop, Join.me, LogMeIn, and Microsoft Remote Desktop.
To mitigate risks posed by these threats, security experts recommend you take the following steps. Consult with your IT professional for needed assistance in any or all of these.
- Configure account lockout settings to lock users accounts after a specific limited number of failed login attempts.
- Limit the number of users who can log in remotely to only essential personnel
- Change default remote desktop listening ports
- Require 2-factor authentication for all remote desktop access
- Review network firewall configurations to insure that only permitted ports, services and IP addresses are communicating with the network.
- Segregate payment processing networks from other networks.
- Implement data leakage detection and prevention tools
- Log events and monitor logs on a daily basis and review frequently
- Ensure that automatic updates from 3rd parties are validated.
- Add an extra layer of authentication and/or encryption, contact your IT professional for assistance in setting this up.
It is essential that you take steps to protect your information, and that of your customers.