What to do in the wake of the Backoff malware attack

July 31, 2014

Retailers, restaurants, and other businesses have a new form of malware to fight, called Backoff. This latest form of cybercrime attacks remote-desktop applications that are used by point-of-sale systems, picking up credit cards and other consumer information along the way.

Details about Backoff were released today in a report by the Department of Homeland Security and the U.S. Secret Service. The malware is so new that anti-virus programs don't yet have the signatures to detect it.

About 600 brick-and-mortar businesses, large and small, were affected by the malware, according to Karl Sigler, threat intelligence manager for Trustwave, a security company that helped uncover the malware. Names of the businesses have not been released yet, since a criminal investigation is ongoing.

Backoff allows cybercriminals to infiltrate the remote-access software often used by vendors of point-of-sale systems when problems arise with those systems. Once Backoff gets access to the remote software (often because of weak passwords), it waits for credit-card info to be entered, encrypts it, and sends the numbers to cyberthieves, Sigler said. Backoff can both log keystrokes, for example when a clerk manually enters a credit card number, or scrape credit and debit card data from the system’s memory.

Check our buying guide and Ratings of security software. And learn more about online security.

 “There have been no signs of fraudulent activity [on credit cards] yet,” Stigler said. “It can be alarming, but in the end, this is just shining a light on the fact that these vendors aren’t using best practices to prevent this kind of attack.”

Ironically, he adds, online shopping is a bit more secure than shopping in physical stores. “Your own computer is more in your control,” Stigler said.

—Donna Tapellini

More from Consumer Reports:
The best washing machines for $800 or less
Most fun to drive cars
5 resaons to buy a blu ray player instead of Roku or Apple TV

Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2006-2014 Consumers Union of U.S.