Bankers, beware Backoff.
The Department of Homeland Security sounded an alarm last week about this young strain of malicious software. The agency directed its warning mainly at retailers, but banks are also vulnerable to Backoff in several ways and need to put defensive mechanisms in place.
One of millions of malware mutations out there, Backoff tries to break into point-of-sale networks and steal credit card data; 600 retailers have reportedly been hit.
"It's not necessarily that this one is nastier than the others," said Chris Camejo, director of assessment at the security consulting firm NTT Com Security. "The real motivation is they're seeing it used in the wild more than others. Somebody decided this will be their go-to tool."
The concerns about Backoff surface as cyber-attacks against financial institutions and retailers are growing more frequent, more sophisticated, and more widespread. Many banks have recently fallen victim to "masquerading," a combination of social engineering and confidence scam that uses high-tech tools and generally results in wire transfer fraud. And Backoff-like malware is said to have been behind several recent high-profile retailer breaches, including those at Target, P.F. Chang's, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.
Backoff trolls the Internet looking for computers running remote desktop tools, which allow a user to connect to one machine from another across cyberspace. Examples include Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop and LogMEIn. Like most companies, banks have employees who use these tools. When Backoff finds a computer running such a tool, it or an accomplice piece of malware will try to break in. They do this typically through phishing — sending an email prompting the user to click on a link that downloads the malware — or by "drive-by download," in which a user browsing the Internet happens on a compromised site that downloads malware to her computer.
"With the rise of remote employees, there will be security issues," warned Jerome Segura, senior security researcher at Malwarebytes Labs, the research arm of the anti-malware company. "You're in a situation where you have too many people who have too many privileges, and there's not much control of these peoples' computers and devices. They're not always well-protected with antivirus and antimalware software. That's opening up a can of worms for any organization that allows remote workers."
Remote desktop tools are designed to be used within a network, not across the Internet, noted Camejo. Some have security settings that can be turned on to provide encryption and authentication, but more often than not these settings are not turned on. In an assessment, if NTT technicians see a remote desktop that's exposed to the Internet, they flag it.
"If you compromise a desktop, you now own a computer within your target organization, you've got the screen, the keyboard and the mouse and you're sitting there inside someone else's office," Camejo said. "The consequences of one of these things getting breached are really nasty."
A key issue here for banks is managing their networks properly. "You never want to have an infrastructure component be publicly accessible," said Joe Schumacher, senior security consultant at Neohapsis, a security and risk management consulting company. "You want to have a VPN that your employees log into with two-factor authentication, and then from there access the remote desktop. That's the ideal world."
Once it's made its way inside a computer, Backoff tries to guess the password for the Remote Desktop tool by running through passwords in a dictionary until it stumbles on one that works — a tactic called brute force login. From there, it will attempt to access a point-of-sale terminal.
POS machines are often exposed to the Internet because their owners don't want the extra cost and management overhead of VPN software, Schumacher said.
Once inside the POS terminal, Backoff can not only capture the "track" data stored on the magnetic stripes of cards as shoppers swipe them, but also the keystrokes they use (for example, debit card PINs). That information is all sent to a central command-and-control center owned by the perpetrators, who then sell the information or use it to make their own credit cards. Visa and MasterCard typically make banks eat the losses from such fraud; the banks then have to try to recoup the money from the merchant that was breached.
Backoff's ability to record keystrokes could also be used to break into a commercial bank account.
"You find somebody who's in accounts payable, you wait until they go to the bank's website and you punch in the user name and password and wire some money out," Camejo said. Often the money is sent to Eastern Europe. "Once that money's gone, it's gone. You're not getting it back," he said.
The malware could also start hunting for other valuable stuff to steal.
"Once a machine is infected, it is a resource and can be used for multiple purposes," said Segura. "In addition to trying to harvest passwords, Backoff might put the machine into a botnet so it could in turn generate more spam or help launch distributed denial of service attacks."