Victim data paints sorry picture of PoS security
There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.
Trustwave SpiderLab, which originally discovered this malware, posted a very thorough analysis in July. The U.S. Secret Service, in partnership with DHS, followed up with an advisory.
Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn’t hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).
Backoff malware configuration, with C&Cs
We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January – March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.
There were several interesting victims among them:
- A global freight shipping and transport logistics company with headquarters in North America.
- A U.K.-based charitable organization that provides support, advice and information to local voluntary organizations and community groups.
- A payroll association in North America.
- A state institute connected with information technology and communication in Eastern Europe.
- A liquor store chain in the U.S.
- An ISP in Alabama, U.S.
- A U.S.-based Mexican food chain.
- A company that owns and manages office buildings in California, U.S.
- A Canadian company that owns and operates a massive chain of restaurants.
There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.
The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we’ve seen more than 85 victims connecting to our sinkhole.
Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it’s a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.
Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.
It’s very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn’t support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can’t be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.
This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.
IOCs / C&Cs:
Trojan file paths:
Kaspersky names for the Trojans:
C&C domains and hostnames:
Sinkholing the Backoff POS Trojan
A point of clarification, based on your initial statement “…designed to steal credit card information from computers that have POS terminals attached.”
The computers ARE the Point of Sale (POS) systems, and more specifically the POS is an application running on the computer. The terminal, or peripheral, that is attached to the computer is technically referred to as the Point of Introduction (POI) device.
In lay terms, it’s the cash registers – not the swipe devices – that are the targets of this malware.
Where did you create the sinkhole(s)? On what servers did you alter records to return “false” information?