Skip to main content

What You Need to Know About Backoff Malware: the New Threat Targeting Retailers

Written by Jake Romero, CIPP

The phrase “back off” is an implied threat typically reserved for bumper stickers and mud flaps, but if you are a retailer that permits the use of remote desktop applications in your business, the name Backoff should be considered much more intimidating.   According to a report released by the U.S. Department of Homeland Security, technology that is widely used to allow employees to work from home or permit IT and administrative personnel to remotely maintain systems is being exploited by hackers to deploy point-of-sale (PoS) malware that is designed to steal credit card data.  Of particular concern is the fact that Backoff malware, which Homeland Security estimates has been around since October 2013, had a “low to zero percent anti-virus detection rate” at the time it was discovered, meaning that even systems with fully-updated and patched anti-virus software would not be able to identify Backoff as malicious malware.  According to the security experts at Kroll, hundreds of retailers may have already been affected without their knowledge.

How Backoff Works

At the onset, hackers scan corporate networks for remote access software, such as Microsoft’s Remote Desktop, Apple Remote Desktop or LogMEIn Join.Me, just to name a few.  These programs operate by constantly listening for communications from remote desktop users seeking access.  Many remote desktop applications listen over standardized ports, so finding the remote desktop signal is not as difficult as one would expect.  When a signal is detected, the hackers use brute force attacks to obtain login credentials and deploy the malware.  The variations of Backoff reviewed by Homeland Security were enabled with a variation of four functions: (i) scraping memory for track data, (ii) logging keystrokes, (iii) Command & Control (C2) communication (this uploads discovered data and updates the malware) and (iv) injecting malicious stub into explorer.exe (this maintains the malware in the event that it crashes or is forcefully stopped).

Once Backoff has been deployed, the malware begins exfiltrating consumer payment data using encrypted POST requests.  Many remote desktop applications are pre-configured to provide high levels of access to privileged users, so hackers are able to use that trusted status to compromise the network without being detected.  For example, in the Target breach that exposed payment card data for millions of individuals, hackers were able to obtain access through accounts intended to remotely maintain refrigeration, heating and air conditioning.

What You Can Do To Mitigate Risk

The Homeland Security report includes a detailed list of actions that can be taken to keep your data safe and mitigate risk to PoS systems from Backoff malware.  Although the full list is worth reviewing, here we have included a list of crucial steps that you should consider taking immediately:

  • Require Strong Passwords and Lock Out Repeated Unsuccessful Login Attempts.  The unfortunate reality is that most users, when given broad deference to craft and select passwords, select passwords that are not just bad, they’re “really, really bad”.  Mandating levels of password length and complexity, as well as configuring expiration times for passwords, can help ward off or minimize the effect of a brute force attack.  In addition, systems should be configured to lock out repeated unsuccessful attempts.
  • Use Multi-Factor Authentication.  In addition, consider implementing a two-factor authentication procedure.  Multi-factor authentication procedures add an extra layer of protection by combining two or more types of credentials; typically a password along with a security token or biometric verification.
  • Limit Users and Access.  Consider limiting the number of users who can access desktops remotely and workstations with access.  Homeland Security also recommends reviewing the levels of access granted to remote users to the number of users who receive administrative privileges to only those individuals who truly need it.  In addition, consider limiting the functions of PoS terminals to ensure that those terminals are not used for secondary functions like email or web browsing that can open the terminal up to attack.
  • Change the Default Remote Desktop Listening Port.  As noted above, the default port used by many remote desktop applications can make it easy for hackers to locate the signal and exploit it.  Changing the default listening port can make your remote desktop application more difficult to locate.

Finally, periodically review systems for unknown users.  Although Homeland Security is working with a number of other parties to make Backoff malware detectable, perhaps the most important takeaway is that hackers are constantly looking for new ways to compromise technology.  Ultimately there is no substitute for an organized mitigation strategy and constant vigilance.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.