Advertisement

How To Protect Your Organization From Backoff Malware

VP site only head shot IDTBackoff malware is giving retailers a new cyber threat to worry about. With instances of this new attack vector appearing as far back as late 2013, security researchers digging into Backoff’s reach recently announced the massive Target breach involved something in the Backoff-style family (with at least three known variants, the details of which were used against Target are still unclear). Sneaky and durable, Backoff is exactly the kind of malware retailers should work to avoid.

What Is Backoff Malware?

Backoff is designed to work its way into a network and access sensitive data. As with most Malware, it is downloaded to a user’s computer when the user visits an infected web site or clicks on a suspicious link. From there, it cracks the password on the remote desktop software installed on the machine. Many widely used platforms are susceptible to Backoff, including LogMeIn’s Join.Me, Splashtop 2 and popular remote desktop tools available from Apple, Google and Microsoft.

Once Backoff has taken control of the remote desktop software, it works to gain additional system access through a trusted account or connection. It then seeks out point-of-sale and similar systems where valuable data resides. Backoff also inserts itself into Windows Explorer, a step that allows it to restart and relaunch itself if the network tries to delete or block it. This approach makes it frighteningly resilient, even when stringent efforts to scrub it from the system are deployed.

Advertisement

How Will It Impact Retailers?

Backoff’s method of entry and ongoing durability are spotlighting the sometimes weak security posture present in many firms. Lackluster password practices, particularly those applied to administrator and other privileged accounts, are a primary issue in light of Backoff. Default passwords remain in widespread use, making the attacker’s job far too easy.

The reported number of affected retailers is currently around 600, and some breaches have lasted for months before they were discovered. With the very real threat posed by Backoff, implementing a thoughtfully designed data security plan must become a top priority for retailers. The belief that a security program primarily rests upon the IT department implementing antivirus on all computers, firewalls and web filtering is an indicator that a company is poorly positioned with respect to security. Defending against the sophisticated attacks aimed at retailers requires expertise specific to security and not just a handful of off-the-shelf tools.    

Protecting Against Backoff

Because the design of Backoff and its current group of variants rely on remote desktop platforms, retailers should immediately tighten security around any remote desktop tools in use in their organization. Remove all instances of the software if it’s not needed, restrict access to a small group of users if it is. Only those individuals whose jobs require remote desktop functionality should have it, and those individuals should have strong password policies strictly enforced.  

Weak passwords are a cyber criminal’s dream, so boost your password protocols right now. First, require that all login credentials follow password best practices including more than nine characters in length, include both upper and lower case letters as well as numbers. Train employees not to use words found in the dictionary (or close approximations such as “h3ll0”) as passwords. Next, institute policies that require passwords to be changed on a regular basis — every six months if possible — and that don’t allow passwords to be reused. Most important in defending against Backoff is to set accounts to lock when an incorrect password is used more than five times. Have your systems alert when accounts lock so you can notice when an account is being attacked, even unsuccessfully. Then, you will be in a position to find the source of the attack and stop it in advance.  Check all existing administrator accounts to ensure none are using the default password.

Conduct a security assessment, ideally using an outside security professional to identify security weaknesses that may be vulnerable to Backoff or areas where the malware already has gained entry in existing systems. Review vendors’ security policies and practices. As retailers increasingly rely on cloud-based services and other suppliers who have access to the network, these important service providers must protect your information with the same level of diligence you use or they become a “side door” into your network.

Responding To A Backoff-Related Breach

Partnering with an experienced incident response team is a crucial first step to determining what happened, eradicating the malware and restoring operations. Other recommended measures include:

  1. Document everything you know about the breach. Your team should write down information on dates, observations on variations from a baseline, the system(s) affected, data compromised, what actions were taken, etc. It will be crucial to have this information as you work to identify and remove the malicious code and prevent additional losses. Call the incident response team immediately so they can guide initial actions. Shutting down an infected computer can erase valuable information in memory or may cause the malware in other parts of the network to realize it has been discovered and begin taking destructive actions.

  1. Create a strong public-facing communications plan. Messages you send to consumers should be concise and clear, and provide the kind of information recipients will be looking for. Previous high-visibility breaches were bungled through poor handling of public announcements and email messages to affected customers, causing confusion and frustration. If your organization doesn’t have a PR team with experience in crisis communications, partner with an experienced firm who can take care of protecting your brand’s reputation as you work to inform customers of the event.

  1. Look for additional support. Contact your business insurance agent or carrier to determine if your organization’s existing policies cover breach response activities, such notifying customers or taking remediating actions, or to evaluate whether you have or need coverage for legal and other fees.

Deena Coffman is Chief Executive Officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the Chief Operating Officer for the cybersecurity and information assurance practice at Johnson & Johnson. She also held the position of discovery director, responsible for the secure management of evidence and compliance with global data privacy directives. She earned an MBA from Cornell University’s S.C. Johnson Graduate School of Management, an MBA from Queen’s University in Kingston, Ontario, and a BA in management from the University of Illinois.

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.

Advertisement

Access The Media Kit

Interests:

Access Our Editorial Calendar




If you are downloading this on behalf of a client, please provide the company name and website information below: