Backoff POS malware: how to identify and protect your POS environment and clients

Point of Sales malware is very annoying, the reason is very simple. It steals personal information directly from point of sales devices.

The impact of this malware can be very high, we have seen this in the Target point of sales malware outbreak.

This time, the Backoff POS is doing the rounds. Reports claim that 1000 retailers have been affected by the Backoff POS malware.

The report on softpedia claims that the Backoff POS is capable of scraping the RAM (Memory) of the infected device.

The technical information which is known about the Backoff POS malware:

  • Uses port 443
  • Encrypt the traffic
  • The developers use custom made query strings and they keep changing them

Indicators of Compromise :

hxxp://cyberwise.biz (185.5.52.135)

hxxp://143biz.cc.md-14.webhostbox.net (208.91.198.91)

How to protect POS devices

In POS malware attacks, infected point of sale terminals make connections with untrusted hosts over the internet. In this specific case, hosts in Lithuania and the Virgin Islands are involved. While most attention is spend in media articles regarding the question how such traffic can be detected, I think the authors miss the point.

After all, the question should be: “Why are payment terminals allowed to talk with random non-trusted hosts on the internet” ? There is no legit reason to allow POS equipment to talk with these hosts. With proper access control, most POS malware would be rendered completely harmless as command & control traffic would be effectively blocked.  

Shouldn’t politicians use legal compliancy frameworks (PCI?) to make sure proper controls are put in place, and to make sure vendors can be held liable for non-compliancy and damages due to related data breaches ?

If people want to detect point of sale malware, I would say start by blocking and logging untrusted traffic in your access control lists.

Afterwards, detect the traffic by inspecting dropped traffic in your firewall log. 

Founder of Cyberwarzone.com.