Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now. Hot on the heels of last week's article here on We Live Security, a new PoS malware warning was issued this week by Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), in partnership with the United States Secret Service (USSS), and the Financial Sector Information Sharing and Analysis Center (FS-ISAC) along with Trustwave Spiderlabs.
The malware, which had already been detected for some time by ESET (Win32/Spy.Agent.OKG) is referred to as “Backoff” by US-CERT. The technical details can be found here. There is also a report you can download as a PDF (click cover on the right).
As with numerous other PoS malware attacks, infection by Backdoor is through brute forcing the login of admin or other privileged accounts on a wide range of remote desktop applications. This access is used to enable command and control communication with the criminals executing these attacks. The PoS malware then performs RAM scraping and keystroke logging. A malicious stub is injected into explore.exe achieve persistence.
The fact that such a detailed report was pushed out with a relatively loud alert underlines the seriousness of this type of attack for the retail industry, and the growing importance of implementing appropriate security measures, especially when remote desktop software is used on the systems that have access to PoS devices. The Backdoor warning specifically refers to the following remote desktop solutions: Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.
Beyond those specific apps, it should be said that any sort of software that allows administrators to remotely access machines that are involved in financial transactions, or connected in any way to POS systems, should be given extra scrutiny and protection against potential intruders. Check out our advice in last week's article on securing PoS systems and seriously consider adding two-factor authentication to any systems or services that can touch your PoS systems.