Backoff Has Been Upgraded Harder to Detect
November 07, 2014
So when you are a hacker and you write the most successful financial transaction hacking software in history, what do you do next?
Well, if your are the makers of Backoff, you upgrade it.
A New Version of Backoff
There is a new version of Backoff that has been found, and it is called “ROM” or “Backoff ROM”. Like its predecessor, it is designed to steal credit card data from POS systems and send that data to servers on the Internet.
The reason that Backoff ROM is making such a splash is that the communication channel it uses (unlike previous versions) is encrypted. Therefore, several of the successful mechanisms that were used to detect the software and the transmission of credit card data will no longer work.
In other words, it just became more difficult for users to even detect that they have the malware than it was before.
The original software sent data in clear text, and by using a network “sniffer” or Intrusion Detection System it was possible to examine the data traveling over the network, detect credit cards in the stream, and prevent the malicious traffic. Now that Backoff ROM has the ability to encrypt that data, this methodology will no longer work. To a network scanner, encrypted data looks like gibberish.
Therefore, finding a pattern that can be matched up to a credit card is nearly impossible.
Protect Remote Access
So does that mean it is not possible to prevent Backoff ROM? Does everyone who runs a POS system have little to no defense?
The answer is no. You can protect yourself against this threat because Backoff ROM and Backoff have the same basic architecture when it comes to deployment and data exfiltration.
As we stated in our previous blog article about Backoff, the malware is not infectious. This means that it is not a computer virus that can cripple a machine just because a user goes to a dangerous web page. Instead, Backoff must be installed, much like any other application that you would use for legitimate purposes. Therefore, the most common way that Backoff, and its latest variants infiltrate a system is through the use of insecure remote access.
The Department of Homeland Security brief about Backoff points out that in a majority of the 1000 businesses that have been affected by Backoff were mainly compromised through the use of remote access that did not have enough security measures in place.
Therefore, the first step is to use good security for remote access. It should require complex passwords, be two factor authenticated, assigned to individual users, and have a mechanism to log access. Requirement 8 in the Payment Card Industry Data Security Standards (PCI DSS) has many components which if they were all being followed would have prevented numerous cases where Backoff managed to penetrate a network.
Click here for a look at the PCI standard if you want to know what the payment card brands expect that you will be doing if you run a retail establishment.
Limit Access to and From the Internet
For the most part, Backoff and Backoff ROM tries to capture credit cards in the stream of a POS transaction and then send that data over the Internet. With Backoff ROM, that transmission is now harder to read because it is encrypted, but you can still limit where on the Internet your systems can send data.
Therefore, having restrictive firewall rules that limit outbound traffic from within your point of sale network will be critical in the event that you do have an installation of Backoff on your systems. Strong firewall rules that only allow traffic to known sites will be a great measure that you can take to protect your network from Backoff.
This is why PCI requires (as its first Requirement) strong firewall management.
The Netsurion Difference
Our customers have had no data stolen by Backoff because the security measures that are most effective against this software is part of our PCI compliance solutions:
- Global Security Mesh – The Netsurion Managed Firewall solution that limits outbound traffic from the payment environment
- Remote Access SSL VPN – Our remote access VPN solution that creates a VPN tunnel after 2 factor authentication. It exceeds the needs as defined by PCI.
- IP Data Blocker with DNS Blocking – Our least access default policy along with our DNS proxy service which severely limits the effectiveness of malware trying to exfiltrate data from a computer network.