More than a thousand U.S. businesses have been affected by point-of-sale malware - malicious software written specifically for online fraud - to steal information such as credit card details from companies and their customers.
The United States Computer Emergency Readiness Team issued a statement saying that the “Backoff” malware was rife in U.S. businesses, taking over administrator accounts and removing customer data from several hundreds of companies.
POS malware was a footnote in computing history until the Target breach, but the hi-tech online fraud now appears to be a growth industry. Ars Technica points out how quickly the software has evolved during the past two years, and emphasizes the direct impact on American consumers.
ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.” Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.
Online fraud: Shop terminals under attack
"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware," the advisory stated. "Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes."
The figure of 1,000 businesses comes from a Secret Service estimate, based on figures from vendors of POS software.
“Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected,” the advisory says.
Criminals target makers of software for shops
Ars refers to a recent attack, where the attackers were able to guess the password to the system,and installed the Backoff program. The malware disguises itself as an innocent Java component but ‘listens’ for credit card transactions, storing them and transmitting them to criminals, according to US-CERT's original advisory.
The US-CERT advisory advises companies, “Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.”