More than 1,000 merchants have been hit by the Backoff malware, given that it was “detected in October 2013 and was not recognized by antivirus software until August 2014,” according to a joint statement issued Friday (Aug. 22) by the U.S. Department of Homeland Security and the U.S. Secret Service.
“Seven POS systems providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, including private sector entities of all sizes, and the Secret Service currently estimates that more than 1,000 U.S. businesses are affected,” the statement said. “DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider and/or POS vendor to assess whether your assets may be vulnerable and/or compromised.”
This is the same bug that hit Target, Supervalu and UPS, according to The New York Times. “The attacks were much more pervasive than previously reported, the advisory said, and hackers were pilfering the data of millions of payment cards from American consumers without companies knowing about it,” the Times reported. “The breadth of the breaches, once considered limited to a handful of businesses, underscored the vulnerability of payment systems widely used by retail stores across the country.”
Remote access apps, which have been the point of entry of so many retail POS attacks, is also the likely entry point here, with the Secret Service specifically referencing Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn.