The Backoff point of sale (POS) malware, which has become a bit infamous after its linkage to various high-profile hacks, appears to be validating its targets via the use of IP video cameras.
Using webcams to spy on people, places and things has been a part of the hacker lexicon for some time. According to RSA, the people behind Backoff have been using surveillance cameras to verify that specific vulnerable machines on a network are in fact POS devices.
The goal of Backoff is to identify and steal credit card and transaction data through traditional memory scraping mechanisms also seen in other POS malware such as Alina, BlackPOS and Dexter. As usual, the malware uploads collected data to a hardcoded C2 that can also command the malware to update itself or download and install other malware.
But the question remained, “How were they able to determine if a target computer belongs to a business or a store?" RSA researchers said in the paper, and "whether a targeted IP actually belongs to a business and not just an RDP service open on a personal computer.”
Earlier this summer, US-CERT issued a warning about Backoff.
“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses to criminal elements,” US-CERT warned in the advisory. “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”
RSA has now found that a large number of Backoff attacks correlate with attacks on camera surveillance services.
"Our assumption is that the fraudsters figured out that the combination of RDP service and cam surveillance service both exposed to the internet provides a fairly logical indication of a possible business, and therefore a proper target," the report said.
It added, "According to our observations regarding the compromised machines, we can say that it's very likely that additional techniques have been employed, such as guessing default passwords for routers and cam surveillance control panels, and using known exploits against these services," RSA explained.