How 'Backoff' Malware Works and Why Banks Should Care

Bankers, beware Backoff.

The Department of Homeland Security sounded an alarm last week about this young strain of malicious software. The agency directed its warning mainly at retailers, but banks are also vulnerable to Backoff in several ways and need to put defensive mechanisms in place.

One of millions of malware mutations out there, Backoff tries to break into point-of-sale networks and steal credit card data; 600 retailers have reportedly been hit.

"It's not necessarily that this one is nastier than the others," said Chris Camejo, director of assessment at the security consulting firm NTT Com Security. "The real motivation is they're seeing it used in the wild more than others. Somebody decided this will be their go-to tool."

The concerns about Backoff surface as cyber-attacks against financial institutions and retailers are growing more frequent, more sophisticated, and more widespread. Many banks have recently fallen victim to "masquerading," a combination of social engineering and confidence scam that uses high-tech tools and generally results in wire transfer fraud. And Backoff-like malware is said to have been behind several recent high-profile retailer breaches, including those at Target, P.F. Chang's, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.

Backoff trolls the Internet looking for computers running remote desktop tools, which allow a user to connect to one machine from another across cyberspace. Examples include Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop and LogMEIn. Like most companies, banks have employees who use these tools. When Backoff finds a computer running such a tool, it or an accomplice piece of malware will try to break in. They do this typically through phishing — sending an email prompting the user to click on a link that downloads the malware — or by "drive-by download," in which a user browsing the Internet happens on a compromised site that downloads malware to her computer.

"With the rise of remote employees, there will be security issues," warned Jerome Segura, senior security researcher at Malwarebytes Labs, the research arm of the anti-malware company. "You're in a situation where you have too many people who have too many privileges, and there's not much control of these peoples' computers and devices. They're not always well-protected with antivirus and antimalware software. That's opening up a can of worms for any organization that allows remote workers."

Remote desktop tools are designed to be used within a network, not across the Internet, noted Camejo. Some have security settings that can be turned on to provide encryption and authentication, but more often than not these settings are not turned on. In an assessment, if NTT technicians see a remote desktop that's exposed to the Internet, they flag it.

"If you compromise a desktop, you now own a computer within your target organization, you've got the screen, the keyboard and the mouse and you're sitting there inside someone else's office," Camejo said. "The consequences of one of these things getting breached are really nasty."

A key issue here for banks is managing their networks properly. "You never want to have an infrastructure component be publicly accessible," said Joe Schumacher, senior security consultant at Neohapsis, a security and risk management consulting company. "You want to have a VPN that your employees log into with two-factor authentication, and then from there access the remote desktop. That's the ideal world."

Once it's made its way inside a computer, Backoff tries to guess the password for the Remote Desktop tool by running through passwords in a dictionary until it stumbles on one that works — a tactic called brute force login. From there, it will attempt to access a point-of-sale terminal.

POS machines are often exposed to the Internet because their owners don't want the extra cost and management overhead of VPN software, Schumacher said.

Once inside the POS terminal, Backoff can not only capture the "track" data stored on the magnetic stripes of cards as shoppers swipe them, but also the keystrokes they use (for example, debit card PINs). That information is all sent to a central command-and-control center owned by the perpetrators, who then sell the information or use it to make their own credit cards. Visa and MasterCard typically make banks eat the losses from such fraud; the banks then have to try to recoup the money from the merchant that was breached.

Backoff's ability to record keystrokes could also be used to break into a commercial bank account.

"You find somebody who's in accounts payable, you wait until they go to the bank's website and you punch in the user name and password and wire some money out," Camejo said. Often the money is sent to Eastern Europe. "Once that money's gone, it's gone. You're not getting it back," he said.

The malware could also start hunting for other valuable stuff to steal.

"Once a machine is infected, it is a resource and can be used for multiple purposes," said Segura. "In addition to trying to harvest passwords, Backoff might put the machine into a botnet so it could in turn generate more spam or help launch distributed denial of service attacks."

Banks can also be affected by Backoff through their non-merchant customers. An online banking user with a Windows 7, 8 or XP computer could be targeted through the Remote Desktop tools that come with the machine. If Backoff malware gets into the machine, it can lurk, monitoring the keystrokes, until the user logs into a banking site, Segura said. Then it could capture those keystrokes or inject custom-made messages in the browser so the user is tricked into entering more details. This is very similar to the Zeus banking Trojan.

XP machines are particularly vulnerable to this and other types of cyberfraud because Microsoft is no longer sending out security patches for the retired operating system. Many POS terminals run Windows XP; retailers with aged machines often find the cost of replacement too steep.

The top measure to protect a bank from Backoff is to find and place behind a firewall any remote desktop services in use, Camejo said.

"An employee might see a commercial for logmein.com and set it up on their workstation and IT has no idea it's even out there," he said.

Next is to put in place a virtual private network and two-factor authentication.

"Some employees are supposed to be working from home but might be working at Starbucks," Segura pointed out. "Public wifi is a big issue."

Requiring strong passwords would be helpful to deflect brute force attacks.

The monitoring of outbound network traffic is also important, Segura said. "Outbound traffic is where you'll see data exfiltration."

But antimalware software, the most obvious antidote to malware, is fairly ineffective, Camejo said. While antivirus software does stop the "50% of low-hanging, easy attacks," it didn't pick up on the first wave of Backoff.

"Now there will be a cat-and-mouse game in which antimalware vendors will put signatures for this in, then the bad guys will alter [Backoff] so it bypasses those signatures, and back and forth," Camejo said. Cybercriminals are generally quicker at adjusting malware to bypass antimalware than antimalware software companies are to update their software to find the new threat, he noted.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER