Connect with us

Hi, what are you looking for?



Cybercriminals Deliver Point-of-Sale Malware to 51 UPS Store Locations

UPS Store Data Breach

UPS Store Data Breach

The UPS Store said on Wednesday that computer systems at several of its franchised center locations had been infected with stealthy malware that went undetected by its anti-virus software and put customer credit and debit card information at risk.

The shipping giant said that it received a government bulletin regarding a “broad-based malware intrusion targeting retailers” in the United States, which sparked the company to hire an IT security firm and conduct a review of its systems and the systems of its franchised center locations.

The investigation revealed that 51 locations in 24 states had been infected with the malware identified in the bulletin.

While UPS did not provide details on the type of malware that infected its systems, it was likely the “Backoff” malware that the U.S. Government first warned about late last month.

In a report released July 31 by the U.S. Department of Homeland Security’s US-CERT, security experts explained how cybercriminals are using legitimate programs as the first step to break into corporate networks and compromise point-of-sale systems with malware.

The malware used in the attacks is known as ‘Backoff’, and has been spotted in several separate breach investigations, the report said. Researchers at security firm Trustwave say had been able to connect the malware to nearly 600 infections of businesses.

In the case of The UPS Store, about 1% of its 4,470 franchised center locations throughout the United States were affected.

Advertisement. Scroll to continue reading.

According to the company, certain customers’ information, who used a credit or debit card at the affected locations between January 20, 2014 and August 11, 2014, may have been exposed.

Customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer, the company said.

“Each franchised UPS Store location is individually-owned and runs independent private networks that are not connected to other franchised center locations,” UPS wrote in advistory notice. “The limited malware intrusion was discovered at only 51 The UPS Store franchised center locations and was not present on the computing systems of any other UPS business entities.”

For most locations, the period of exposure to the malware began after March 26, 2014, UPS said, adding that the malware was eliminated from its systems as of August 11, 2014.

According to the DHS report, there are three primary variants of the Backoff malware, which have been spotted as far back as October 2013, and have continued to be seen in the wild. The malware typically had four capabilities: keylogging, scraping memory from track data, command and control communication and injecting malicious stub into explorer.exe.

The earliest variant identified by researchers did not have the keylogging functionality. The UPS Store said there has been no evidence of fraud occurring as a result of the data breach, however the company is providing identity protection and credit monitoring services to customers whose information may have been compromised.

“This type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, like Target, Neiman Marcus, PF Changs and others,” Ken Westin, a security analyst a TripWire, told SecurityWeek. “The malware itself is sophisticated, but the method of intrusion is not. Attackers use publicly available scanning to tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

The report from US-CERT, which was a joint effort by DHS, U.S. Secret Service, the National Cybersecurity and Communications Integration Center, the Financial Sector Information Sharing and Analysis Center and Trustwave – also lists a host of recommendations dealing with network security and protecting point-of-sale systems. For example, the report suggests organizations implement hardware-based point-to-point encryption for their cash registers and PoS systems.

A list of affected UPS Store locations is available online.


Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.