Visibility of network POS traffic leads to quicker detection

Oct 24, 2014 10:51 GMT  ·  By

Backoff POS malware has made a lot of ripples lately, with multiple variants being leveraged in attacks on different retailers in the US, leading to an increased number of incidents associated with it.

One of the most recent confirmations of Backoff POS malware compromising payment processing systems comes from Dairy Queen, which suffered a card breach on 395 of its stores and one Julius Orange location in August.

However, the malware has been used so aggressively that it prompted an advisory from the Department of Homeland Security (DHS) towards the end of August, informing that over 1,000 businesses had been impacted by Backoff.

Retailers are often alerted by third-parties about POS infections

In a report from Damballa, a company that offers solutions for preventing data breach incidents, it is shown that the number of Backoff infections surged significantly in the third quarter of the year.

By inspecting POS traffic in multiple customer environments, the security firm detected a 57% increase for the infections caused by the POS malware in the month of August alone; the trend continued through September with a 27% rise.

Security researchers note that many POS systems are installed on the local network, which does not benefit from the rigorous scrutiny corporate network traffic enjoys. This leads to persistency, allowing attackers to exfiltrate information for longer periods of time, in many cases months passing by.

In some cases, the retailers are completely unaware of the leakage of information from their payment processing systems and learn about the compromise from third-party organizations such as law enforcement agencies, financial institutions or actors in the security industry.

Centralized POS traffic inspection can reduce POS malware impact

Damballa says that in the cases of Backoff infections they observed, two aspects are to be considered; one refers to the malware bypassing the network prevention controls and remaining stealthy and active.

The other touches on its detection, which was possible thanks to the configuration of the network that made the POS traffic visible.

“Reducing the dwell time from when intrusions are detected to when they are contained is critical,” the report says.

In most card breach incidents caused by POS malware, the locations impacted were dispersed geographically and were run independently, as franchises. This would hinder investigation, as well as the intrusion detection.

One solution provided by Damballa to reduce the risk of getting infected with Backoff and other POS malware is to create an infrastructure that centralizes POS traffic from multiple locations. Another is to use site-to-site VPN.

However, monitoring the outbound network communication this way could prove costing to companies; as an alternative could be forwarding the DNS traffic from the retail locations to the corporate network, where it can be inspected.