An advisory released on Aug. 22 by the U.S. Computer Emergency Readiness Team (US-CERT) and the Secret Service warned that a malware program they named “Backoff” has affected both Point-of-Sale (PoS) system vendors and approximately 1,000 businesses across the country. Millions of accounts could potentially be compromised. PoS systems are those programs used by retailers to read credit and debit card magnetic strips being swiped at registers to complete a transaction.
While Backoff was first noticed in Oct. 2013 by the Secret Service, the emergency warning stated that at this time neither customers nor companies are aware of this malware attack. That is because software security companies are just now developing programs to identify it.
"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected."
Once it infiltrates a program Backoff can scrape a PoS system's memory for "track data," including the numbers, expiration dates, and PIN codes associated with the cards; install keyloggers; report that it has found a way into a centralized command and control server; and install a backdoor that allows attackers access to the system even if something goes wrong with the primary Backoff executable file.
Companies have been instructed to scan cash register machines, log all network activities and deploy software that can report unusual activity to technicians. For example, a cash register at a store in the US has no reason to communicate with servers in Russia or China.
Jerome Segura, a senior security researcher at cybersecurity software firm Malware Bytes, snoted in an interview that the way Backoff works is not unique. What has changed is that the hackers deploying it have become increasingly sophisticated about identifying high-value computer systems after they've broken into them.
In an interview with media, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”At Target, Mr. Maiorino said he planned to build a security program as tough as what was expected from military contractors.
“All of the same tools and techniques that nation states are using for attacks have been commoditized and are available for sale in the black market,” Mr. Maiorino said. “And for the right amount of money you can go out and create a cybercrime ring at a relatively low cost.”
What can you do as a consumer? Jay Foley of ID Theft Info Source has advised consumers to monitor both credit and debit card accounts carefully. You can do this by checking your accounts every few days online. If you see a purchase you didn’t make, immediately inform both the credit card issuer and the affected merchant. At this time the malware does not appear to affect online purchases but due to other viruses you should change passwords at least monthly. Consumers will NOT be held responsible for fraudulent purchases. Be aware that hackers may only charge small amounts in the beginning to test the system so watch for amounts such as $19.99 or even $2.00.
Foley said a strong password is one that contains lower and upper case letters, at least one number and one symbol such as #$&% and is not your email address. It should be at least eight characters long and not be something found on a card or credit application. A good password might be a special word divided by numbers and symbols: Red##woOD63, DogVS6cats$, yrbetTER50%