Point of Sale (POS) Malware

Jonathan Trull, Chief Information Security Officer


Cyber criminals continue to successfully target and compromise Point-of-Sale (POS) systems, oftentimes stealing millions of credit card records before being discovered.  On July 31, 2014, the United States Computer Emergency Readiness Team, or US-CERT, issued an alert on “Backoff” POS malware. 

Backoff is a family of malware that has been discovered during several breach investigations targeting POS systems.  Backoff typically contains the following capabilities:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

To install the malware on the POS system, most attackers first scan retailers’ networks to identify remote administration services that are enabled and accessible from the Internet – e.g., windows remote desktop.   The attacker then conducts a brute force attack against the services, often compromising an administrator’s account.  Using the administrator’s account, the backoff malware is installed and then credit card data is exfiltrated over an encrypted path.

If you work or consult for companies with POS systems, I highly recommend that you visit https://www.us-cert.gov/ncas/alerts/TA14-212A and take the following immediate steps:  (1) configure your systems to look for the indicators of compromise listed in the alert, and (2) implement stringent lockout procedures and two-factor authentication for all remote administration tools and services.

In Regis University’s M.S. in Information Assurance program, you’ll learn ways to better protect your company’s data and network to ensure attackers aren’t successful with malware like Backoff.