Three Steps Retailers Should Take to Protect Against Backoff Malware

By Deena Coffman, IDT911 Consulting

Retailers working to improve their security posture have a new threat to consider: Backoff malware. Although its appearances have been traced back as early as October 2013, Backoff is still inflicting harm in the retail sector by actively targeting point-of-sale systems, and the United State is its favorite target, according to TrendMicro’s analysis.

The malware relies heavily on remote desktop tools to gain access to deep-level assets. Needing an initial entry point on just one computer on the network, which happens easily when employees browse the Internet, Backoff takes up residence when an employee clicks on infected links in phishing emails or visits compromised websites. Either way, Backoff is quietly downloaded inside the enterprise network, and quickly goes to work.

Once Backoff has entered a computer, it launches a brute force attack designed to discover the password for installed remote desktop tools. (Many variants of Backoff contain a keystroke logger, which can also capture account credentials.) Some of the most popular enterprise-level remote desktop programs may be vulnerable to Backoff, including platforms offered by Apple, Microsoft and Google. With the remote desktop software compromised, Backoff is then able to go after higher-value targets within and across the network. POS systems—full of tantalizing payment card data—are Backoff’s primary collection and exfiltration objectives.

Because Backoff captures keystrokes and information in volatile memory, it evades the defenses that come with PCI compliance as it captures customer and track data from areas other than encrypted storage areas. Backoff is able to maintain a presence even if it crashes or is forcibly stopped, and until fairly recently, it was unable to be detected by anti-virus protections. At least 600 U.S. retailers have reportedly been infected so far.

How Backoff will affect the retail landscape

For organizations with large geographic footprints, what may begin as a relatively contained breach can quickly escalate to a situation that impacts sales across the entire store portfolio. The full scope of threats posed by Backoff are still emerging. In fact, it would be unwise to assume Backoff is being used to its full potential.

Three tips for protecting your organization from Backoff

Approaching data security from several angles, also known as “defense in depth,” is the best strategy. Just a few recommended measures include:

1. Implement defensive measures. Train employees how to browse the Internet and to avoid phishing and pharming. Limit administrative privileges and configure account lockout so that brute force attacks on account credentials trigger an account to be locked.  Alert on this event and look into events that appear on the reports. Keep antivirus and antimalware software up to date.

2. Consider implementing multifactor or at least two-step authentication for accounts with access to sensitive or protected information.

3. Carry out a security assessment to determine where existing systems may have security weaknesses that may be vulnerable to Backoff or areas where malware such as Backoff has already gained entry. Examine all remote access connections and firewalls and change default account credentials and settings. Keep sensitive data segregated from operational information that is likely accessed frequently and by wide groups of users.

What to do if you have a breach

Mounting an effective and expedient response to a breach is crucial. Not only will it help to stop the attack and prevent additional consumer data from being stolen, it’s also instrumental in minimizing the reputational harm that can befall a compromised retailer.

• Partner with an experienced incident response team to determine what happened, eradicate the malware and restore operations. In the case of something as stubborn as Backoff—where the threat is specifically designed to resist attempts to scrub it from the system—it’s crucial that all instances of the malware be correctly and completely removed to prevent additional exposures.

• Set up a call center to keep affected customers and employees informed. This helps to reassure the employees and customers that they are receiving accurate and authentic information about the breach, and it gives your organization the opportunity to maintain tight control over all public-facing communications.

• Because employees are a crucial component in protecting against Backoff, it’s prudent to examine the organization’s current security training and awareness program. Training and communication should be current, periodic and tailored to the role of the employees receiving the communication or training. One-size-fits all, online training delivered once a year is not enough to train an entire workforce on such an important and dynamic protocol.  

Deena Coffman is CEO of IDT911 Consulting, a subsidiary of IDT911, a leading consultative provider of identity and data risk management, resolution and education services. IDT911 Consulting provides information security and data privacy services to help businesses avert or respond to a data loss incident. She can be reached at

More Web Exclusives/Guest Commentaries

Login or Register to post a comment.