Targeted Destructive Malware, Server Message Block (SMB) Worms, and Other Cyber Exploitations are Becoming More Advanced and More Destructive Everyday. What Should Business Owners do to Protect Themselves?

In the past year, malicious actors have used the reputations, bandwidth, and continuous connections of companies like Staples, Kmart, Dairy Queen, Home Depot, Jimmy John’s, Target, Sally Beauty, P.F. Chang and many others to take consumer data, steal money and destroy the reputations of everyone involved. Every one of these companies suffered losses through a compromised PoS system infected with a little known family of malware called “Backoff”. Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States. All these businesses have one thing in common. They have been impacted by Backoff malware. Seven PoS system providers have confirmed that they have had multiple clients affected by Backoff. Additional compromised locations, of all sizes, are discovered every day. The Secret Service currently estimates that over 1,000 U.S. businesses entities have been infected by Backoff so far.

Recent investigations, by the Secret Service, have revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions such as Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the malicious actors attempt to brute force the login feature of the remote desktop solution. After gaining access to what is often an administrator or privileged access account, the intruders were then able to deploy the point-of-sale (PoS) Backoff malware and take consumer payment data.

Backoff Malware works by scraping consumer data from the memory of the machine being used to process a payment card transaction. Payment Card Industry (PCI) compliance has centered on verifying that cardholder data isn’t stored locally on the vendor’s computer system. However there is no way to prevent the cardholders data from traveling through the memory of the machine processing the transaction. Backoff’s use of the systems memory is what makes the malware so effective for malicious actors and so difficult for retailers to discover and remove. 

Once the cardholder information has been scraped from the memory of the machine processing the transaction the malicious actors process a micropayment of less than 10.00. This micropayment is used to verify the cards validity before the card is offered for sale on the black market. Once the card is verified it is offered for sale in batches or “dumps” organized by postal codes. Using postal code data information allows data purchasers to avoid fraud detection systems and use the stolen card data in the same locations where the cards have been used in the past. The cards are used to purchase high value items such as iPhones, X-Box consoles, PS4 devices, etc. These goods are then repackaged and shipped overseas to areas of the world where the items are not offered for sale and people are willing to pay two to three times the actual selling price in a cash only transaction.

How do you protect yourself and your customers from Backoff and similar malware? Here are a few steps you can take.

Network Security:

  • Review your firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow all ports to communicate with any IP address on the Internet. Hackers leverage this configuration to send data to their systems.
  • PCI compliance requires that data networks be separate from networks used for processing your credit card information. Segregate your payment processing networks from your other networks. Once you have your card payment network separated it’s easier to control communications and only allow transaction communications with your payment processor. By restricting communications you can prevent an infected machine from sending your customer’s data to the malicious actors.
  • Once your payment data has been separated from your data network you need to apply access control lists (ACLs) on your router and firewall configurations. Using an ACL will help you limit unauthorized traffic.
  • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data. Your payment processing hardware doesn’t need to access all your PCI data. Once the transaction has been processed the data should be inaccessible from your public facing systems.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration. You should add email filters to prevent unintentional loss through well-meaning employees trying to help people. Social engineering is the easiest way for someone to gain access to your systems. There are several options available. Rights Management Services are available with Enterprise level versions of Exchange 2013 server and Office 365, Enterprise E3 and E4 subscriptions. Rights Management Services (RMS) uses encryption and a form of selective functionality denial to limit access to documents such as corporate e-mail, Word documents, and web pages.  RMS limits the operations authorized users can perform with Office, preventing personally identifiable information from leaving your organization. At the network email level, Sophos’s new SG series of UTM appliances offers a far more extensive collection of preconfigured rules than Microsoft RMS does, however, both allow you to add custom expressions to help guard against data loss.  

Figure 1: Sophos SG Appliance Filters

  • It’s important for network administrators to implement tools to detect anomalous network traffic and anomalous behavior by legitimate users with compromised credentials. Detecting anomalies requires the use of higher end hardware and software with a monitoring service. Enterprise size organizations can use Cisco’s Traffic Anomaly Detector Module in their Catalyst switches. Smaller companies can’t afford this hardware. The Sophos SG 105 would allow you to detect anomalous network traffic with the help of Sophos Labs. Sophos UTM devices give network owners deep insight into the traffic traversing their networks. Sophos Labs investigates edge cases, monitors trends and tunes your UTM for ever better protection over time. Protecting an office of ten users with a Sophos SG 105 UTM costs less than $26.00 per month or $2.60 per user. For larger offices, a Sophos SG 230 would allow you to detect anomalous behavior by legitimate users with compromised credentials and protect 100 users for $227.00 per month or less than $2.30 per user per month. This is far less than the cost of cleaning up after a break in but still requires network administrators to read log files on a daily basis. Observe IT is another option. Observe IT provides visibility into your user’s activity’s on company computers. It creates fully-indexed and searchable video logs of user’s sessions and analyzes behavior to detect out-of-policy behaviors with real-time analytics and alerts.

Cash Register and Point of Sale system Security

  • Think about adding mobile wallet or Near Field Communications (NFC) based payment systems from Apple, Google and other companies that bypass payment cards altogether., Chase Payments, CyberSource, First data, Stripe and TSYS all accept NFC payments. Maybe it’s time to pay a little more and avoid having any PCI data move across your network.
  • Implement hardware-based point-to-point encryption. It is recommended that magnetic strip payment readers be replaced by Europay, Mastercard, and Visa (EMV) payment readers before October 1, 2015. Newer EMV-enabled PIN entry devices should have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website. Before you add a new device to your PCI compliant network, we recommend quarantining that device for seven to ten days on its own network segment. This will allow you to watch the traffic traveling to and from your new device and verify that the device wasn’t tampered with prior to installation. After October 1, 2015 the party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud losses. When a transaction occurs using chip technology, any liability for counterfeit fraud, though unlikely, would follow current Visa Operating Regulations.
  • Install Payment Application Data Security Standard (PA-DSS) compliant payment applications. PA-DSS is a set of requirements that are intended to help software vendors develop secure payment applications that support Payment Card Industry Data Security Standard (PCI DSS) compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS. We hate to be the bearer of bad news here, but QuickBooks POS 2013 is the only version of QuickBooks PoS listed as safe for deployment. If you have an older or newer version of QuickBooks PoS, and suffer a data breach, you will be held liable for any losses and possibly face additional fines.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system. Far too often we see companies paying thousands of dollars every year for patch management systems that don’t work. Most patch management systems actually delay the patches from being installed or simply do nothing at all. Take the time to discuss Patch Management with your IT provider and learn the basics of how to manage your own systems. It takes less than 15 minutes to learn how to use the patch management software natively installed by your software providers (Microsoft, Adobe, Java, etc.). If you have machines that are experiencing issues with patch installation, there is usually a deeper problem. Contact your IT provider and resolve the issue before the holiday shopping season begins.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible. Don’t be afraid to use a passphrase. Passphrases are typically longer than passwords, for added security, and contain multiple words that create a phrase. Some people use the first letter of every word, others use the second or last letter to create a longer more secure password.
  • A Strong Password:
      •        Is 15 to 30 characters long
      •        Is a series of words that create a phrase
      •        Does not contain common phrases found in literature or music
      •        Does not contain words found in the dictionary
      •        Does not contain your user name, real name, or company name
      •        Is significantly different from previous passwords or passphrases
      •        Contains uppercase, lowercase and special characters: A, B, C, a, b, c, 0, 1, 2 ` ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
  • Perform a binary or checksum comparison to ensure unauthorized files have not been installed on your POS system. A checksum is a small bit of data that has been calculated from a larger block of data. The smaller block of data is used to find errors or changes in the data that may have occurred from one point in time to another. If the size of the data on your system changes the binary or checksum value will also change.  As an example, if I create a file on my computer named QBF.txt and that file contains the text “The quick brown fox jumped over the lazy dog.” the checksum for that file is 5c6ffbdd40d9556b73a21e63c3e0e904. Now, if I change the text in that file to “The quick brown fox jumped over the lazy dog” my checksum value changes to 08a008a01d498c404b0c30852b39d3b8. You can see by looking at the checksum it becomes immediately obvious that something in my text file has changed.  By keeping track of your checksum values for the files in the directory containing your POS software you’ll be able to see when your data has changed. Most operating systems have the ability to calculate checksum values built into the OS. Microsoft windows requires an additional download from Microsoft (  We recommend that you store your hash values in a database and automate the process of looking for changed values. Your database records should be stored for a minimum of one year.
  • Ensure any automatic updates from third parties have been validated prior to installation. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
  • Disable any unnecessary ports and services, null sessions, default users and guest user accounts on your machines. I can’t tell you the number of installations we have seen where the network administrators has completely disabled the machine level firewalls. Check your machines to verify that firewalls have been turned on. If they are off, you will most likely experience a few functions that will stop working when you turn your firewall back on. It’s okay, contact your IT service provider for assistance with learning the proper way to configure your firewall for your applications. While you have your provider there, let them know that it’s not okay to turn off your machines firewall. If you have a domain controller you can use Group Policy to make changes to every firewall in your domain through a single console on your server. Yes, there is a learning curve to understanding your firewall but it’s easy to configure once you understand the basics.
  • Enable logging of your network system events and make sure there is a process in place to monitor logs on a daily basis. Many logs are set, by default, to overwrite data and never archive user information. It only takes a few moments to change this default setting to archive your log files and retain your security, login and other information. You should use a syslog server to make changes in data more obvious and allow you to quickly respond to anomalies in your log files.
  • Implement least privileges and ACLs on users and applications on your PoS systems. This is a part of the layered approach to security that every small business should have in place. Restrict users at your network firewall, restrict users at the switch or wireless Access Point level, restrict users at the machine layer and again restrict users at the application layer.
  • Refrain from using the systems you use for your Point of Sale software for browsing the Internet or opening your email. The Internet and email based attacks are the most common  

Remote Desktop and Remote Access Restrictions

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system could be a malicious actor who is attempting to determine an account password through trial and error. Beginning with Windows Server 2003, Windows domain controllers have kept track of logon attempts. Now, domain controllers can be configured to respond to this type of attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
  • Limit the number of users and workstations who can log in using Remote Desktop. Remote Desktop Connection is a technology that allows you to use a client computer to access a remote computer in a different location. For example, you can connect to your server from your desktop computer and have access to all of your programs, files, and network resources as though you were in front of your server. Remote desktop should never be allowed through a firewall. If you feel it is necessary to access your machines from a remote location you should use a Virtual Private Network that will encrypt your data while it is being transmitted to your office. One simple solution would be a Sophos SG 105 and a Sophos Remote Ethernet Device (RED) in your remote location. Your Sophos SG 105 can centrally manage your Sophos RED via the cloud and give you secure access to your office from anywhere you have an internet connection. After your RED authenticates through digital X.509 certificates, all your transferred data is protected using an AES256-encrypted tunnel. This tunnel keeps your data and your business safe from malicious attackers.
  • Use firewalls, both software and hardware, to restrict access to remote desktop listening ports (default port number is TCP port 3389) and never allow Remote Desktop through your firewall unless you are using a VPN tunnel, like a Sophos RED appliance, to encrypt your information.
  • Change the default Remote Desktop listening port in your organization. Our IP addresses are scanned multiple times per hour for open port numbers. It doesn’t take very long for a malicious actor to figure out that port 3389, on your firewall, is listening for connections. By changing the port number we make it more difficult for a malicious actor to know which port they should be attacking. Security through obscurity is never a good idea. However, as a part of a larger security deployment, obscuring the port number is helpful.
  • Define complex password parameters. Configuring an expiration time, password length and complexity requirement can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) whenever possible. Two-factor authentication is a process involving two subsequent but dependent stages to check the identity of a person trying to access services in a computer or on a network. The first stage may be a password and the second stage may be an ID number sent to the user’s phone or email. PCI compliance now requires 2FA for all Wi-Fi networks that contain payment card information. We can show you how to implement 2FA on your Wi-Fi network.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate key logger or credential dumping attacks.

Limit administrative privileges for users and applications.

  • Periodically review and purge systems (local and domain controllers) of past and dormant users.
    Organizations that believe there is a possibility that they may have been impacted by Backoff should contact their local Secret Service field office and may contact the NCCIC for additional information. If you are unsure how to do this, contact us, and we will contact authorities with you.


Contact GPL Integrated IT for more Information

GPL Integrated IT, LLC
172 Carpenter Road
Elmira, NY 14903


Additional Contact Information is available here