14 DAY TRIAL // The Mizado Cocina restaurant in New Orleans discovered that their payment systems leaked credit and debit card information to an unknown intruder using the Backoff point-of-sale (PoS) malware.
The incident became known to the restaurant after a third-party forensic investigation company informed them on July 31 that an attacker installed malicious software on their systems, with the intent to steal credit card information from their customers.
Earlier signs of the intrusion were also recorded by the restaurant, as clients reported fraudulent transactions soon after dining at Mizado Cocina.
Following a forensic investigation, it became clear that the payment systems had been infected with malicious software and the hardware was replaced.
The analysis of the breached system revealed that the cards impacted were processed by the affected PoS between May 9 and July 18; they belonged to about 8,000 individuals.
In a public communication, the restaurant said that customer names, card numbers, expiration dates and CVV security codes were compromised during the incident.
Starting May 9, Backoff PoS malware began collecting the sensitive information from the memory (RAM scraping) of the payment system, sending it to the attackers.
Backoff is a relatively new malware family, as US CERT made public its existence on July 31, noting that by that time the antivirus detection for it was low to zero, which means that little could be done by the company to catch the threat at an earlier time. After publishing an advisory, antivirus vendors started to add parameters that would catch it.
The malware has been analyzed by security researchers at Trustwave Spiderlabs, who found that apart from memory scraping, Backoff also featured keylogging functionality and the possibility to communicate with a command and control (C&C) server.
Cyber attacks delivering this threat would be conducted by scanning for ports typically used by remote desktop applications; once found, the cybercriminals would start brute-forcing their way into the program, thus gaining complete access to the system.
Contacting the C&C server is not used just for exfiltrating scraped data, but also for delivering updated versions of the malware and instructions to remove previous builds.
In order to gain persistency, the malware author added the possibility to inject a malicious stub into explorer.exe.
The actions taken by Mizado Cocina include notifying the affected customers and offering them one year of complementary “fraud alert” services from major credit bureaus in the US.
“Since being advised of the security compromise of our point of sale system, we have worked on an urgent and continuous basis with the appropriate law enforcement authorities, credit card processors and forensic experts to investigate the security compromise and ensure the protection of our guests’ credit and debit card information,” said Chris Rodrigue, CEO of Taste Buds Management, operator of Mizado Cocina, in a statement.