Security Experts:

PCI Security Standards Council Urges Retailers Take Action Against Point-of-Sale Malware

The Payment Card Industry (PCI) Security Standards Council is encouraging retailers to take steps to better protect themselves from the Backoff point-of-sale (PoS) malware that has been tied to attacks on 1,000 organizations.

The Backoff malware was the subject of a recent warning from the U.S. Secret Service and the Department of Homeland Security. It is part of a growing list of malware targeting point-of-sale systems that has sent the retail industry looking for answers.

According to the council, organizations should ensure they have the most recent and up-to-date antivirus protection against Backoff and similar malware and run it immediately. In addition, retailers should review all system logs for strange or unexplained activity, in particular any large data files being sent to unknown locations. Finally, the council recommends retailers change all default passwords on systems and applications.

In an advisory in July, the Department of Homeland Security noted that in many attacks, hackers are taking advantage of solutions such as Apple Remote Desktop, Splashtop 2 and Microsoft Remote Desktop to hijack computers by brute forcing the solution to gain access. Ultimately, after gaining access to a privileged account, the attackers deployed their malware.

"Our Trustwave researchers have identified and analyzed eight different versions of the Backoff malware thus far which means that the criminals are continuing to update it," said Karl Sigler, threat intelligence manager at Trustwave. "Criminals have primarily targeted third party vendors that sell and support PoS systems for businesses. They infect PoS systems with Backoff mainly by exploiting poor passwords for remote access support software. In many cases, the criminals scanned for those PoS systems that were opened up to the public internet and then logged into those with weak passwords."

"Now that the indicators of compromise (IoCs) are public, we expect to see more Backoff victims," he added. "IoCs are specific malware attributes that make them unique and identifiable, such as directory and file names, registry keys, network traffic and file hashes. Anti-virus vendors can use the IoCs to create signatures to flag the malware. Forensic professionals also use IoCs to identify the signs that indicate a Backoff breach."

In addition to its other recommendations, the council urged retailers to consider implementing PCI-approved point-of-interaction (POI) devices that support the secure reading and exchange (SRED) of data, which encrypts data at the point of capture and would prevent exposure of clear-text data within the ECR or similar POS systems.

"Merchants should also consider implementing a PCI-approved point-to-point encryption (P2PE) solution which includes SRED devices and protects the data until received by the secure decryption facility," according to the council's advisory. "Should systems be found to be infected or unusual activity suspected, organizations should contact their acquiring bank immediately."

Regarding malware specifically, the council said organizations should review the following security risk mitigating control areas outlined in PCI Data Security Standard (PCI DSS) 3.0:

 Proper firewall configuration – Requirement 1

 Changing vendor defaults and passwords on devices and systems – Requirement 2

 Regularly updating anti-virus protections – Requirement 5

 Patching systems – Requirement 6

 Limiting access and privileges to systems – Requirements 7,9

 Requiring 2-factor authentication and complex passwords – Requirement 8

 Inspection of POS devices – Requirement 9

 Monitoring systems to allow for quick detection – Requirements 10, 11

 Implementing sound security policies for preventing intrusions that may allow malware to be injected – Requirement 12

 Managing third party access to devices and systems, and specifically remote access from outside a merchant’s network –– Requirements 8, 12

"Businesses, whether in PoS or other industries, must not rely on antivirus and start taking a proactive approach in protecting their environment and (customer) data," advised Joe Schumacher, senior security consultant at Neohapsis Labs. "A proactive approach in securing the business technology starts with network isolation or adding secure layers between untrusted and trusted environments."

"IT operations," he continued, "should push the business to invest in secure, robust authentication methods that protect the accounts accessing the business network and data. Furthermore, some examples of processes that must be defined include, at minimum, vulnerability/patch management, secure configuration deployments, reviewing firewall rule sets and user provisioning."

view counter