Security Experts:

Connect with us

Hi, what are you looking for?



RSA Report Dives Deep into Backoff PoS Malware

Researchers with EMC’s RSA Security Division have pulled back the covers from the Backoff malware in a new report.

Researchers with EMC’s RSA Security Division have pulled back the covers from the Backoff malware in a new report.

The Backoff malware made a big splash in the world of cybercrime in 2014, emerging as one of the most notorious pieces of point-of-sale malware in the wild. In August, the U.S. Secret Service linked it to compromises at 1,000 U.S. businesses. It was also linked to attacks on Diary Queen and the United Parcel Service (UPS).

The report offers details of the malware’s command and control infrastructure and how it operates. But perhaps more notably, offers some indication the attacker or attackers controlling the malware may be in India.

“While monitoring the main server of the Backoff Operation, we detected a few requests from someone accessing the C&C control panel,” according to the RSA report. “Tracing the IP address of the request led to a hosting server in the Netherlands, but at the same instance, his browser revealed the local time zone of his machine GMT+0530, which is unique for India Standard Time.”

In addition, while searching for additional Backoff samples, RSA encountered a sample in the VirusTotal site that wasn’t packed. When the researchers looked at the ‘Submissions’ tab, the binary was found to have come from India and its name was originally ‘output.exe’ “as if it was freshly created and output from the compiler,” the report notes.

“The goal of Backoff is to identify and steal credit card and transaction data through traditional memory scraping mechanisms also seen in other POS malware such as Alina, BlackPOS and Dexter,” blogged Jason Rader, director of cyber threat intelligence for RSA. “As usual, the malware uploads collected data to a hardcoded C2 that can also command the malware to update itself or download and install other malware.”

In October, security firm Damballa reported that detections of Backoff  jumped 57 percent from August to September. During the month of September alone, Backoff infections increased 27 percent.

According to RSA, most of the Backoff infections are in the United States.

“Almost every business or store has security camera surveillance since many business owners, managers wish to monitor their business and their workers, and of course, they want to be able to do so remotely,” according to the RSA report. “Evidently and certainly not accidently, a fairly large number of the infected IP addresses had cam surveillance services exposed. Our assumption is that the fraudsters figured out that the combination of RDP service and cam surveillance service both exposed to the internet provides a fairly logical indication of a possible business, and therefore a proper target.”

RSA also noted in the report that in addition to brute force attacks on RDP (remote desktop protocol) services, attackers have likely used additional techniques such as guessing default passwords for routers and cam surveillance control panels, and using known exploits against these services.

“The impact of a compromised POS system can affect both the businesses and consumers by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and email addresses to criminal elements,” according to the RSA report. “These breaches can impact the business brand and reputation, while consumer information can be used to make fraudulent purchases and potentially compromise customer bank accounts. It’s critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise and to mitigate any damage that could be occurring now.”

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.