Cyber-Attacks Have Affected More Than 1,000 U.S. Businesses

Effect of 'Backoff' hacker malware more widespread than first believed

Homeland Security POS (CSP Daily News / Convenience Stores / Technology)

WASHINGTON -- Along with Target, SuperValu and other highly publicized cases, more than 1,000 U.S. businesses have been affected by point-of-sale (POS) malware dubbed "Backoff," the National Cybersecurity & Communications Integration Center (NCCIC), U.S. Secret Service and third-party partners said in advisory the agencies issued on July 31. The malware has been discovered exploiting businesses' administrator accounts remotely and compromising consumer payment data.

The U.S. Department of Homeland Security (DHS) is encouraging businesses, regardless of size, to check for possible point-of-sale (POS) malware infections. One particular family of malware, which was detected in Oct. 2013 and was not recognized by antivirus software solutions until Aug. 2014, has likely infected many victims who are unaware that they have been compromised.

Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by Backoff. Seven POS system providers/vendors have confirmed that multiple clients have been affected. Reporting continues on additional compromised locations, involving private-sector entities of all sizes.

DHS strongly recommends that companies contact their IT team, antivirus vendor, managed service provider or POS system vendor to assess whether assets may be vulnerable or compromised. The Secret Service is active in contacting affected businesses, as they are identified, and continues to work with and support those businesses that have been affected by this malware. Companies that believe they have been the victim of this malware should contact their local Secret Service field office and may contact the NCCIC for additional information.

According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities--a vendor with remote access to a company's systems, for example, or employees with the ability to work remotely--and then deploying computers to guess user names and passwords at high speeds until they find a working combination.

The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off of the cash register systems and send it back to their servers abroad.

Last year, in the largest known breach against a retailer's payment system, hackers invaded Target for weeks without being detected, said a report by The New York Times. The hackers' malware stole customers' data directly off the magnetic stripes of credit and debit cards used by tens of millions of shoppers.

The Target breach exposed problems with the magnetic stripes on credit cards, the report said. Since then, banks and companies have taken a renewed interest in a chip-based smart card standard Europay MasterCard Visa (EMV), the technology's first backers. Credit-card companies have set an Oct. 2015 deadline for American retailers to upgrade their payment systems.

EMV makes counterfeiting far more difficult than magnetic stripe cards, but analysts say they believe that most retailers will not meet the Oct. 2015 deadline because of the cost to upgrade their terminals--from $500 to $1,000 per terminal, according to Javelin Strategy & Research.

With cash register malware rampant, however, they may have no choice, said the Times.

Click here to view the full New York Times report.

For all inquiries pertaining to this product, please contact the NCCIC Duty Officer at [email protected] or (888) 282-0870. To report an incident, contact US-CERT at [email protected] or visit: To report suspected cybercrimes, to include network intrusions or use of malware, contact your local U.S. Secret Service Field Office, Electronic Crimes Task Force (ECTF), or the Secret Service toll free number at (877) 242-3375. Victims of cybercrimes may have evidence important to ongoing investigations or to the eventual prosecution of cyber criminals.