The recently discovered Backoff is very likely to be used by attackers

Aug 21, 2014 07:54 GMT  ·  By

On Wednesday, UPS announced its customers that the systems of 51 of their franchised center locations, in 24 states, have been compromised by malware stealing credit and debit card details.

The company received a government bulletin that informed of a point-of-sale (PoS) threat affecting multiple retailer across the US, and which went undetected by antivirus solutions.

After analyzing their systems, the company determined that multiple locations were infected by the malware described in the government bulletin.

They asserted that details about credit and debit cards useds at one of the 51 affected locations between January 20, 2014 and August 11, 2014 has been exposed to unauthorized individuals.

The information exposed consisted in names, postal addresses, email addresses and payment card details, but not all of them were attached to each affected customer.

However, in the announcement of the incident, UPS says that in most cases “the period of exposure to this malware began after March 26, 2014.”

On August 11, the malware, which is believed to be the recently discovered Backoff, has been removed from all impacted UPS locations and customers were able to make purchases securely from then on.

“As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,” says Tim Davis, president of The UPS Store, Inc in a communication.

The network of UPS stores comprises a total 4,470 franchised center locations throughout the United States, the 51 stores involved in the incident representing about one per cent.

According to the company, franchised centers run on independent private networks, separate from other centers of the same kind.

"Same as with the recent Community Health System breach, this is another example of how persistent attackers were able to successfully plant their attack tool. Enterprises are now coming to a conclusion that they are either already compromised, or will soon be. It's not a matter of 'if', it's a matter of 'when'," Aviv Raff, chief researcher at Seculert, told us via email.

Ars Technica was tipped off by a reader that sent them a copy of the government bulletin received by UPS. It is dated July 31, a date that coincides with an alert issued by US CERT (Computer Emergency Readiness Team) about Backoff PoS malware infecting on various US retailers’ payment devices.

The bulletin includes an analysis of the malware, performed by security resarchers from Trustwave Spiderlabs, also consistent with the CERT announcement at the end of July.

Backoff and its variations have been detected since at least October 2013 and it is equipped with memory scraping capabilities, which allows extraction of sensitive information available in the memory of the system.

The report says that threat actors scan the systems for the presence of a remote desktop protocol and then abuse its log-in with brute-force attacks in order to find the credentials.

Apart from scraping memory for track data, the malware can also record key strokes and communicate with a command and control server.

US CERT's advisory notes that “at the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.”

However, after the publication of the report, more and more antivirus vendors updated their malware detection mechanisms to catch this type of threat and its variants.