Three Steps Retailers Should Take to Protect Against Backoff Malware
By Deena Coffman, IDT911 Consulting
Retailers working to improve their security posture have a new threat to consider: Backoff malware. Although its appearances have been traced back as early as October 2013, Backoff is still inflicting harm in the retail sector by actively targeting point-of-sale systems, and the United State is its favorite target, according to TrendMicro’s analysis.
The malware relies heavily on remote desktop tools to gain access to deep-level assets. Needing an initial entry point on just one computer on the network, which happens easily when employees browse the Internet, Backoff takes up residence when an employee clicks on infected links in phishing emails or visits compromised websites. Either way, Backoff is quietly downloaded inside the enterprise network, and quickly goes to work.
Once Backoff has entered a computer, it launches a brute force attack designed to discover the password for installed remote desktop tools. (Many variants of Backoff contain a keystroke logger, which can also capture account credentials.) Some of the most popular enterprise-level remote desktop programs may be vulnerable to Backoff, including platforms offered by Apple, Microsoft and Google. With the remote desktop software compromised, Backoff is then able to go after higher-value targets within and across the network. POS systems—full of tantalizing payment card data—are Backoff’s primary collection and exfiltration objectives.
Because Backoff captures keystrokes and information in volatile memory, it evades the defenses that come with PCI compliance as it captures customer and track data from areas other than encrypted storage areas. Backoff is able to maintain a presence even if it crashes or is forcibly stopped, and until fairly recently, it was unable to be detected by anti-virus protections. At least 600 U.S. retailers have reportedly been infected so far.
How Backoff will affect the retail landscape
For organizations with large geographic footprints, what may begin as a relatively contained breach can quickly escalate to a situation that impacts sales across the entire store portfolio. The full scope of threats posed by Backoff are still emerging. In fact, it would be unwise to assume Backoff is being used to its full potential.
Three tips for protecting your organization from Backoff
Approaching data security from several angles, also known as “defense in depth,” is the best strategy. Just a few recommended measures include:
1. Implement defensive measures. Train employees how to browse the Internet and to avoid phishing and pharming. Limit administrative privileges and configure account lockout so that brute force attacks on account credentials trigger an account to be locked. Alert on this event and look into events that appear on the reports. Keep antivirus and antimalware software up to date.
2. Consider implementing multifactor or at least two-step authentication for accounts with access to sensitive or protected information.
3. Carry out a security assessment to determine where existing systems may have security weaknesses that may be vulnerable to Backoff or areas where malware such as Backoff has already gained entry. Examine all remote access connections and firewalls and change default account credentials and settings. Keep sensitive data segregated from operational information that is likely accessed frequently and by wide groups of users.
What to do if you have a breach
Mounting an effective and expedient response to a breach is crucial. Not only will it help to stop the attack and prevent additional consumer data from being stolen, it’s also instrumental in minimizing the reputational harm that can befall a compromised retailer.
• Partner with an experienced incident response team to determine what happened, eradicate the malware and restore operations. In the case of something as stubborn as Backoff—where the threat is specifically designed to resist attempts to scrub it from the system—it’s crucial that all instances of the malware be correctly and completely removed to prevent additional exposures.
• Set up a call center to keep affected customers and employees informed. This helps to reassure the employees and customers that they are receiving accurate and authentic information about the breach, and it gives your organization the opportunity to maintain tight control over all public-facing communications.
• Because employees are a crucial component in protecting against Backoff, it’s prudent to examine the organization’s current security training and awareness program. Training and communication should be current, periodic and tailored to the role of the employees receiving the communication or training. One-size-fits all, online training delivered once a year is not enough to train an entire workforce on such an important and dynamic protocol.
Deena Coffman is CEO of IDT911 Consulting, a subsidiary of IDT911, a leading consultative provider of identity and data risk management, resolution and education services. IDT911 Consulting provides information security and data privacy services to help businesses avert or respond to a data loss incident. She can be reached at [email protected].
Aaron’s names interim chief to replace retiring CEO
Atlanta — Rent-to-own chain Aaron’s, Inc. has named its current CFO Gilbert L. Danielson to the position of interim chief executive officer, following the retirement of current CEO Ronald W. Allen on Aug. 31.
Danielson will also retain his CFO responsibilities during the interim period and will not be a candidate for the permanent CEO role, said the company. A formal search, led by Spencer Stuart, is underway and includes a review of both internal and external candidates.
Ex-Aeropostale exec gets eight years prison sentence over kickbacks
New York — Christopher Finazzo, former executive VP and chief merchandising officer for Aeropostale, has been sentenced to eight years in prison after being convicted of defrauding the company and taking more than $25 million in kickbacks from a key vendor.
Finazzo, who was found guilty in April 2013 of 14 counts of mail fraud, wire fraud and conspiracy, was also ordered to forfeit more than $25 million and pay the company $13.7 million in restitution.
Prosecutors said Finazzo entered into an illegal deal with Douglas Dey, a movie producer and the owner of South Bay Apparel, a firm that was once a major clothing supplier for Aeropostale. Under the deal, Finazzo from 1996 to 2006 allegedly caused the company to buy more than $350 million in T-shirt and fleece items from South Bay on behalf of Aeropostale in exchange for about 50% of the vendor’s profits.
Prosecutors said the scheme enabled Finazzo to collect more than $25 million in kickbacks from South Bay.