PCI Security Standards Forum warns on Backoff malware

News by Steve Gold

Malware around since last year, but only now visible to anti-virus security software.

The PCI Security Standards Forum - the organisation behind the PCI DSS security rules that all organisations handling card payments must adhere to - has warned of a POS (point-of-sale) malware called Backoff.

Interestingly, the Forum's advisory hints that the Backoff malware may have been used in the infamous Target Corporation attack of late last year, since it claims that the malware was released in 2013, but has only this month been recognised by AV and allied security software.

Merchants are being advised to "review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations."

The Forum concludes by saying that attacks of this kind underscore the critical importance of a multi-layered approach to payment card security that addresses people, process and technology.

Commenting on the Backoff advisory, Professor John Walker of Nottingham-Trent University says that he is normally in favour of security standardisation and controls as a means of securing payment card systems - but in the case of the PCI Security Standards Forum, claims the agency is failing on three main fronts in this regard.

These fronts, he told SCMagazineUK.com, are skills; the PCI DSS standard itself; and the `back to basics' application of technology controls.

On the skills side, he says, whilst the PCI-DSS standard is very prescriptive, it conflicts with the second aspect, that of the PCI DSS standard themselves, in that the practical elements of the standard do not always filter down into actions. The end result here, he adds, is that there is often a shortfall in the implementation of the PCI DSS rules in many companies.

Walker - who is also a director of Integral Security Xssurance - says that the third PCI DSS security issue – the application of technology controls - is the largest challenge of all, owing to the need to integrate the various security elements together.

"I have seen this issue at close quarters in one major bank, where the bank's software developers had to pull back from releasing the PCI DSS compliant software owing to the fact that security had not been considered in the development lifecycle stages," he said.

Walker went on to say that, when he was discussing security issue with a PCI DSS Qualified Security Assessor, the assessor revealed he had discovered a significant security exposure and vulnerability on a major bank's Web site - despite the fact that the site concerned was fully PCI DSS compliant.

"I inquired how this could be so. His answer was very revealing when he told me: ‘That's easy, the element of insecurity and exposure is not on the check list, so it does not count in the assessment.' From this, it can be seen that we can have insecure security - which is fully in compliance with PCI DSS – existing alongside known security exposures," he explained.

According to Egeman Tas, VP of engineering with Comodo, fraudsters design malware such as Backoff to steal credit card data stored in memory, meaning that application containerisation technology - which protects the process against a memory scraping attack - can prevent these types of malware from being successful.

"The PCI Forum bulletin recommendations are all fine and well, but - as is often the case - does not actually address the crux of the issue. In this case, containerisation would have stopped Backoff. I can only imagine the technology was not referenced in the bulletin because it is so new and people are still bringing themselves up to speed," he said.

Tony Marques, a cyber security consultant with Encode UK, said he expects to see more examples of malware like Backoff appearing in the near future, since the code is usually tailored to the target environment.

"The best defence is to improve infection detection and treatment. This means having up to date end-point and/or gateway AV/malware detection software - using a sandbox detonation approach - along with a good source of threat intelligence," he said.

"Consideration must also be given to the probable initial attack vector - e.g. social engineering for physical POS terminal access and spear phishing. Until the retail POS industry fixes the memory scraping vulnerability, countering these threats is like laying the railway track ahead of a runaway train," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews