1,000 Businesses Hit By POS MalwareDHS Issues Updated Alert about 'Backoff' Threat
The Secret Service now estimates that more than 1,000 U.S. businesses have had their systems infected by Backoff, a new point-of-sale malware that has been linked to numerous remote-access attacks (see Emerging POS Attacks Target Small Merchants).
See Also: Rethinking Response
On Aug. 22, the Department of Homeland security, which first issued an advisory July 31 about the risks Backoff posed to U.S. business - particularly smaller merchants - warned U.S. businesses that they may have already have been unknowingly compromised.
Now the DHS is encouraging all businesses, regardless of size, to scan their POS systems for a possible compromise.
"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware," the DHS notes in its new advisory. "Seven POS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected."
Backoff typically exploits businesses' administrator accounts through remote-access software and then exfiltrates consumer cardholder data, the DHS warns.
"DHS strongly recommends actively contacting your IT team, anti-virus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised," according to the Aug. 22 advisory. "The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this POS malware. Companies that believe they have been the victim of this malware should contact their local Secret Service field office and may contact the NCCIC [National Cybersecurity and Communications Integration Center] for additional information."
Commonly used remote desktop applications that may have been compromised include LogMeIn Join.me, Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and Pulseway, the DHS says.
In June, Vancouver, Wash.-based Information Systems & Supplies Inc., a POS vendor that caters to the food-service industry, notified customers that a compromise of its LogMeIn account likely exposed card data associated with POS transactions conducted between Feb. 28 and April 18 of this year.
And then, in late July, the Delaware Restaurant Association notified its membership of a possible LogMeIn compromise that may have exposed card data at a yet-to-be-determined number of Delaware restaurants (see Restaurant Association Warns of Breach).
Most recently, New Orleans restaurant Mizado Cocina on Aug. 19 confirmed that its POS network had been compromised by Backoff. And on Aug. 21, UPS Stores announced that it, too, had suffered a POS compromise linked to retail malware the DHS warned about on July 31 (see New Breaches Tied to Evasive Malware).
UPS, however, has not yet confirmed that the malware used in the attack, which affected 51 of its stores, was, in fact, Backoff.
Whether other high-profile retail breaches, such as the breaches suffered by Target Corp., Neiman Marcus, Sally Beauty, and grocery chains Supervalu and Albertsons, are related to the same Backoff malware has not been revealed by federal authorities.