Visited a Dairy Queen lately and paid with your credit or debit card? If so, it’s possible your personal information was stolen by the Backoff POS malware — and yes, that’s the same malware responsible for last year’s Target breach and a host of others over the last few months. According to TIME, almost 10 percent of Dairy Queen locations nationwide were hit by the point-of-sale malware with nearly 600,000 cards compromised. So what’s going on here? Wasn’t Backoff supposed to, you know, back off after being patched by IT security organizations? Apparently this malware doesn’t know how to take a hint.
That’s the word from Dark Reading, which reports that between August and September 2014 there was a 57 percent increase of Backoff infections. The Secret Service, meanwhile, says that up to 1000 American businesses could be affected by Backoff, and that number continues to grow. It begs the question: how does this keep happening?
Part of the problem comes from point-of-sale devices. Often, they are “free-standing” from corporate networks, meaning “it’s impossible to discover the device is communicating with criminal command and control,” according to Brian Foster, CTO of security firm Damballa. Many of these devices are also configured to use remote access software — a great way to get upgrades and patches on-demand and an ideal way in for Backoff and other POS malware looking to swipe credit card data. Bottom line? Companies need eyes-on POS data all the time: where it’s going, when, and most importantly why. In addition, all connections between these devices and any other service — on the network or outside it — should be regularly audited.
Ultimately, Backoff proves the point for any company unsure about the real threat of malware: so long as it continues to work, criminals will keep using it. If businesses don’t take steps to protect their assets, attackers are happy to use year-old code as a way in. Think of it like being warned that criminals are breaking into houses around your neighborhood but changing the lock mechanism on your front door will solve the problem. So long as front doors with old hardware are still being used, criminals have no reason to change tactics.
Backoff isn’t the only “undetectable” malware making the rounds — as reported by The Daily Mail, a new virus known as Peter Pan has been targeting small and midsize companies in the United Kingdom. The malware comes along with an email to purchase tickets for Christmas performances of a Peter Pan theater production. When users open the attachment their device is infected with a virus that can steal password data and spread to other machines on the same Internet connection.
Just as with Backoff, companies don’t get an automatic notification from virus protection programs that anything’s amiss — and once attachments are downloaded or credit cards inserted, it’s too late. While some efforts are being made to combat the threat of these vanishing viruses, such as the development of a USB “condom” to protected devices connecting with an unfamiliar network, undetectable malware iterations remain a serious problem. Is there any way to reliably back them off?
First off, companies need to make smart moves. This means using a secure VPN to prevent traffic from being scanned, analyzed and ultimately used to engineer an attack. Employees also need periodic training: don’t open attachments you don’t recognize, and never download any kind of “video player”.
But that’s just the start. When it comes to Backoff, Peter Pan or any other “undetectable” virus, the key thing to remember is that it will happen again. Why? Because criminals know that POS malware works, so they tweak it just enough each year to bypass antivirus programs and avoid detection. Ultimately, virus scans and assurances of security from third-party vendors only go so far. If companies really want to POS problems a hard shove, the key is oversight: get device traffic out in the open on a secure network and look at what’s it’s actually doing rather than making assumptions. Backoff-like malware depends on companies taking the easy way — dig deeper and push back.