The number of North American businesses running point-of-sale systems infected with credit-card-stealing malware is wide-ranging and extensive, according to researchers monitoring one of hundreds of servers communicating to infected systems.
Kaspersky Lab researchers observed more than 100 victims of the Backoff POS memory-scraping Trojan in just a few days, connecting to two command-and-control servers over the past few days. Nearly all the infections were in the U.S. and Canada.
In addition to restaurants and liquor stores, the victim merchants include a global freight logistics firm, a nonprofit organization and an office management firm, highlighting the pervasiveness of the malware of its type, which came to light following the massive credit-card breach last November at retail giant Target Corp.
"It's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000," Kaspersky Lab said in its analysis of its observations released Friday.
Kaspersky Lab said its analysis covers less than 5 percent of the command-and-control servers that support a handful of the various Backoff malware variants created between January and March. Security experts say a spate of high-profile retail data breaches has created significant growth for IT security technologies in the retail industry, where, until now, sales have been largely driven by PCI compliance rules.
Backoff works by remotely exploiting business administrator accounts and then triggering every 10 or 15 seconds, silently stealing consumer payment data. The Secret Service currently estimates that more than 1,000 U.S. businesses are affected by Backoff, according to a Department of Homeland Security advisory issued Aug. 22. DHS recommended that merchants assess whether their POS systems are vulnerable or compromised.
"Reporting continues on additional compromised locations involving private sector entities of all sizes," according to the advisory. "The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this PoS malware."
Investigators identified similar malware on Target's payment systems called BlackPOS. Memory scraping malware has been available for years and highly successful because retailers have a serious problem addressing security of their transaction systems without impeding the payment process, said Nir Valtman, co-founder and chief technology officer of security testing firm Crowdome. Solutions are costly, Valtman said, speaking to attendees this month at the 2014 Black Hat Briefings in Las Vegas.
"The magic solution is not in the software; it is in the hardware," Valtman said. "There is a way to encrypt the hardware from the pin pad, but it costs a lot of money."
Merchants are having a difficult time keeping payment systems segmented from the rest of their network, said solution providers, noting that diligence is necessary to ensure that division is maintained even when there are changes in the environment. Properly implemented encryption, access control and privilege management is also a requirement, said Bob Coppedge of Hudson, Ohio-based managed service provider Simplex-IT.
"Even if you get all the best practices right, your employees can create a weakness, because at the end of the day, they are human and will make mistakes," Coppedge told CRN.
PUBLISHED AUG. 29, 2014