This new malware is inserted through the use of remote access clients that are allowed to pass through a firewall for direct access from the outside world. The “bad guys” look for common remote access ports like 3389 for Microsoft’s remote desktop protocol and then run a simply dictionary attack to see if the passwords used are in common use. Once they gain access they drop in their malware that can capture credit/debit card swipes and transaction. As we told you during Black Hat, the developers of Backoff have even added in keylogging to make sure that they can capture information even if it is manually typed in. They may also be using this to move laterally inside the networks they have compromised, but this has not been verified yet.
Now, the use of direct remote access into ANY network is a bad thing and one that is supposed to be covered by PCI (Payment Card Industry) compliance laws. We are not sure how these organizations are still doing business if they are allowing their vendors direct access into their POS (Point of Sale) systems from outside and are using weak passwords to protect them. The sad fact that 1,000 businesses have been hit by this shows just how bad things are and how often the requirements of regulations designed to protect consumer data is ignored.
According to the PCI council: “If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards”. You are also required to undergo routine checks to ensure that you are up to standards. We wonder how many of the 1,000 victims here were getting their quarterly checks and were following standards outlined by PCI?
In the end, until there is a serious financial penalty the industry is unlikely to change. Vendors will push on smaller (and larger) businesses for easier access and companies that do not want to spend the money on the proper security hardware or services will simply hand over the keys. Yes security is a pain in the ass, but in the end it is the responsibility of the business in question to ensure that the data of their customers is properly protected. The down side is that there does not seem to be any real consequences for not doing so even when publicly shamed after a breech. Keep this in mind the next time you swipe your card at any store. It is a thought that should worry you to say the least.
Tell us your thoughts in our Forum