One of the newest strains of malicious software to beware - Backoff. According to American Banker's article, retailers, credit unions, banks, they're all vulnerable to Backoff in several ways. Read on for our take on the article, to learn how it works and what defensive mechanisms you should put into place to protect your business.
What is 'Backoff'?
Backoff is one of the millions of malware mutations, and tries to break into point-of-sale networks and steal credit card data. Over 600 retailers have reported being hit by Backoff. Backoff-like malware is said to have been behind several of the recent high-profile retailer breaches, including those at Target, P.F. Chang's, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.
How does 'Backoff' work?
Once it's made its way inside a computer, Backoff tries to guess the password for the Remote Desktop tool by running through passwords in a dictionary until it stumbles on one that works — a tactic called brute force login. From there, it will attempt to access a point-of-sale terminal. POS machines are often exposed to the Internet because their owners don't want the extra cost and management overhead of VPN software, Schumacher said.
Once inside the POS terminal, Backoff can not only capture the "track" data stored on the magnetic stripes of cards as shoppers swipe them, but also the keystrokes they use (for example, debit card PINs). That information is all sent to a central command-and-control center owned by the perpetrators, who then sell the information or use it to make their own credit cards. Visa and MasterCard typically make financial institutions eat the losses from such fraud; the credit union or bank then must to try to recoup the money from the merchant that was breached.
Why should you be concerned?
Backoff trolls the Internet looking for computers running remote desktop tools, which allow a user to connect to one machine from another across cyberspace. Examples include Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop and LogMEIn.
Like most companies, financial institutions have employees who use these tools. When Backoff finds a computer running such a tool, it or an accomplice piece of malware will try to break in. They do this typically through 'phishing' — sending an email prompting the user to click on a link that downloads the malware — or by "drive-by download," in which a user browsing the Internet happens on a compromised site that downloads malware to her computer.
Backoff's ability to record keystrokes could also be used to break into a commercial bank account. If the attacker finds someone in accounts payable, they wait until they go tot the financial institution's website, punch in the user name and password they've already stolen and wire some money out. The money could be sent across the world, often Eastern Europe - and it's gone.
Backoff could also start hunting for other valuable stuff to steal. Once a computer is infected, the malware could try harvesting passwords, generate more spam, or help launch distributed denial of service (DDoS) attacks.
Financial institutions can also be affected by Backoff through their non-merchant customers. An online banking user with a Windows 7, 8 or XP computer could be targeted through the Remote Desktop tools that come with the machine.
If Backoff malware gets into the machine, it can lurk, monitoring the keystrokes, until the user logs into a banking site. Then it could capture those keystrokes or inject custom-made messages in the browser so the user is tricked into entering more details. This is very similar to the Zeus banking Trojan.
How can you prevent a Backoff attack?
The most obvious preventive measure, antivirus software, does not always help. While antivirus software does stop the "50% of low-hanging, easy attacks," it didn't pick up on the first wave of Backoff.
A key issue here for credit unions and banks is managing their networks properly. Our network team agrees with Joe Scumacher from Neohapsis, "You never want to have an infrastructure component be publicly accessible. You want to have a VPN that your employees log into with two-factor authentication, and then from there access the remote desktop."
The Top 4 Things You Can Do to Prevent a Backoff Attack:
1. The top measure to protect a financial institution from Backoff is to find and place behind a firewall any remote desktop services in use.
2. Next is to put in place a virtual private network and two-factor authentication.
3. Requiring strong passwords would be helpful to deflect brute force attacks.
4. The monitoring of outbound network traffic is also important, because outbound traffic is where you'll see data exfiltration.
