Point-of-Sale attacks are back in the news. But they never really left us. In the wake of the Target attack, the FBI issued a bulletin in January warning about future incidents. They identified the malware type (RAM scrapers) and the infection vector (phish mails, and compromised websites or “watering holes”). And they even pointed out that some of the malware can be obtained on the black market.
Then Backoff started making headlines when it was reported that this PoS malware was responsible for a recent spate of attacks on high-profile targets. The US Secret Service along with Homeland Security had been on the case earlier, issuing a warning late last month with more specifics on the mechanics of the attack. They revealed that Backoff had affected over 1,000 businesses.
Major companies only recently came forward to say they had been victims.
If you look more closely at the Secret Service warning, the details should seem depressingly similar to the Target episode.
The attackers likely took advantage of weak passwords, liberal lockout polices, admin privilege availability on user machines, and remote networking capabilities.
Another way to say all this is that they once they entered—by phishing or some other means—they were able to move laterally, elevate privileges, and deposit RAM scraper software on a POS server. We also know that Backoff and some other auxiliary malware were using explorer.exe as kind of stub to hide from IT security monitoring.
How was the credit card data ultimately removed or exfiltrated?
Based on the analysis of some of the earlier Backoff variants, the warning indicates that Command and Control (C2) software exploited the HTTP protocol to hide data going to and from the target. C2, of course, was probably used in the Target exploit.
In short: there’s nothing new here.
I suppose it won’t surprise you that the Secret Service recommends two-factor authentication, greatly restricting remote desktop access, implementing software to “detect anomalous behavior by legitimate users (compromised credentials)”, and enforcing “least privileges and ACLs on users and applications on the system”. Didn’t think so!
The striking and unsettling fact is that even after Target and the other big retail incidents from last year had rattled all of us, the same vulnerabilities are still successfully being exploited even at very large companies.