The United States Computer Emergency Readiness Team (US-CERT) has released an advisory on a family of malware that compromises retailer's point-of-sale systems.
It does so by lifting data from memory, logging keystrokes, controlling communications and inserting malicious code into explorer.exe. So far, US-CERT has discovered the presence of the malware family known as "Backoff" during three forensic investigation of point-of-sale breaches.
Backoff's insertion into Window's explorer.exe, the system process behind the folder system of Windows' File Explorer, allows the malicious software to revive itself in the event of a crash or forcible close, according to US-CERT. Communications control enables Backoff to transfer intercepted data to hackers, its key-logging ability records keyboard input, and the malware's memory-scouring feature allows it to lift senstive data before the information is deleted from temporary storage.
Backoff's point of sale attacks can provide criminal groups with access to business and customer names, mailing addresses, credit and debit card numbers, phone numbers and e-mail addresses, according to US-CERT, who described the malicious software as nearly undetectable by vendors of antivirus software.
"These breaches can impact a business' brand and reputation, while consumers' information can be used to make fraudulent purchases or risk compromise of bank accounts," stated US-CERT. "It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now."
The typical targets of Backoff attacks appeared to have been point of sale systems that employed remote desktop applications, according to US-CERT. The agency's recent investigations indicated that criminal groups located these businesses using publically available tools and then used Backoff to gain backdoor access to businesses that used applications such as Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway and LogMEIn Join.Me.
"Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution," stated US-CERT. "After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request."
US-CERT said it has seen variants of the Backoff since October 2013 and found evidence that the family of malicious software was still being used as recently as this July.
As hacking continues to grow, attacking everything from news organizations to health groups, US-CERT has reminded information security professionals to maintain depth in defense against intrusions. Offering help specific to Backoff, US-CERT has isolated the registry keys that enable network administrators to determine if the malicious software, or any of its variants, have been injected into their company's PoS system.