Security Experts:

Cybercriminals Deliver Point-of-Sale Malware to 51 UPS Store Locations

UPS Store Data Breach

The UPS Store said on Wednesday that computer systems at several of its franchised center locations had been infected with stealthy malware that went undetected by its anti-virus software and put customer credit and debit card information at risk.

The shipping giant said that it received a government bulletin regarding a "broad-based malware intrusion targeting retailers" in the United States, which sparked the company to hire an IT security firm and conduct a review of its systems and the systems of its franchised center locations.

The investigation revealed that 51 locations in 24 states had been infected with the malware identified in the bulletin.

While UPS did not provide details on the type of malware that infected its systems, it was likely the “Backoff” malware that the U.S. Government first warned about late last month.

In a report released July 31 by the U.S. Department of Homeland Security’s US-CERT, security experts explained how cybercriminals are using legitimate programs as the first step to break into corporate networks and compromise point-of-sale systems with malware.

The malware used in the attacks is known as 'Backoff', and has been spotted in several separate breach investigations, the report said. Researchers at security firm Trustwave say had been able to connect the malware to nearly 600 infections of businesses.

In the case of The UPS Store, about 1% of its 4,470 franchised center locations throughout the United States were affected.

According to the company, certain customers' information, who used a credit or debit card at the affected locations between January 20, 2014 and August 11, 2014, may have been exposed.

Customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer, the company said.

"Each franchised UPS Store location is individually-owned and runs independent private networks that are not connected to other franchised center locations," UPS wrote in advistory notice. "The limited malware intrusion was discovered at only 51 The UPS Store franchised center locations and was not present on the computing systems of any other UPS business entities."

For most locations, the period of exposure to the malware began after March 26, 2014, UPS said, adding that the malware was eliminated from its systems as of August 11, 2014.

According to the DHS report, there are three primary variants of the Backoff malware, which have been spotted as far back as October 2013, and have continued to be seen in the wild. The malware typically had four capabilities: keylogging, scraping memory from track data, command and control communication and injecting malicious stub into explorer.exe.

The earliest variant identified by researchers did not have the keylogging functionality. The UPS Store said there has been no evidence of fraud occurring as a result of the data breach, however the company is providing identity protection and credit monitoring services to customers whose information may have been compromised.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, like Target, Neiman Marcus, PF Changs and others," Ken Westin, a security analyst a TripWire, told SecurityWeek. "The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning to tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The report from US-CERT, which was a joint effort by DHS, U.S. Secret Service, the National Cybersecurity and Communications Integration Center, the Financial Sector Information Sharing and Analysis Center and Trustwave - also lists a host of recommendations dealing with network security and protecting point-of-sale systems. For example, the report suggests organizations implement hardware-based point-to-point encryption for their cash registers and PoS systems.

A list of affected UPS Store locations is available online.


view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.