Data Security Alert - Backoff, Point of Sale Crimeware

By : John Pearson

January 23, 2015 08:14 PM

Beware of Backoff POS Crimeware. On July 31, 2014 the United States Department of Homeland Security, published an advisory about new crimeware targeting businesses that accept, process, or transmit credit card data.  This new crimeware, called Backoff, is a tool used by criminal hackers to take advantage of insecure remote access software, deficient networks, and weak user credentials, with the intent to gain access to key environments such as Point of Sale (POS) systems, where the criminal hackers can collect, steal, and monetize data. Backoffsearches the Internet for locations using remote access software such as, but not limited to, Apple Remote Desktop™, Chrome Remote Desktop™, LogMeIn®, Microsoft® Remote Desktop, and more.  Once found, it allows criminal hackers to brute force user accounts using the remote access software.  It also provides tools that take advantage of deficient networks and unpatched operating systems to gain access to machines within the environment. If the criminal hackers can gain access to the machines, they can then deploy memory-scrappers and key-loggers that allow them to scan active memory for its contents and track key strokes, mouse moves, and screen touches to capture any and all data entered. How can you protect yourself? To protect your business, follow the guidelines provided by PCI DSS, specifically a layered security approach that includes:


  • Use a commercial grade managed firewall that is securely configured with limited access to only business related websites

  • Maintain secure systems by regularly patching operating systems and software with security updates, and maintain anti-virus or whitelisting applications

  • Remove remote access software unless absolutely needed for business purpose, and then only use systems that support multi-factor authentication

  • Configure user accounts to require strong passwords and utilize preventative measures against brute force attacks

  • Maintain and review system logs regularly for abnormal system behavior


Following one or two of these guidelines alone is not enough to secure your environment.  For example, a solution deployed with a managed firewall and anti-virus or whitelisting, but uses an insecure remote access software can become a compromised site.  The remote access software negates the protection of the firewall and anti-malware solution.  If the remote access software is not configured for multi-factor authentication, brute force attacks can discover user accounts and passwords that will allow system access.  Once system access is granted, then Backoff can install memory-scrapers and key-loggers. The Backoff crimeware in most cases cannot be detected by anti-virus, and whitelisting software can be deceived by Backoff if defects in unpatched software or operating systems exist. Remote users can run malicious code by posing as valid applications such as Windows® Explorer or taking advantage of vulnerabilities to disguise the crimeware through code injection even if whitelisting is in place.  Thus a layered approach of managed firewall, secure remote access, strong user credentials, updated software, anti-malware, and logging is required to be protected. All systems, including POS systems, regardless of provider can be targeted by Backoff.  It is the layers of security that are deployed to each system that determine if it is vulnerable to the attack vectors used by Backoff.  Review your environment today to make sure your systems have the layers of protection needed. Please contact your NCR representative for details on NCR solutions and how NCR can help you improve the security of your business. Let us know if this information was helpful in the comments below.