UPS Store Malware Likely Hit Many Other Companies

Tom's Guide / Paul Wagenseil
UPS Store Malware Likely Hit Many Other Companies

The Backoff point-of-sale malware infection that hit 51 UPS Stores may be very widespread, the United States Computer Emergency Readiness Team (US-CERT) stated today (Aug. 22) in an alert.

"US-CERT is aware of Backoff malware compromising a significant number of major enterprise networks, as well as small and medium businesses," a statement posted on the US-CERT website read.

It urged "administrators and operators of Point-of-Sale systems" to reread the long advisory about Backoff jointly released July 31 by US-CERT, the Department of Homeland Security, the United States Secret Service and other agencies.

MORE: Best PC Antivirus Software 2014

The New York Times reported on its website that "more than 1,000 American businesses" had been affected by point-of-sale malware, but did not identify the provenance of that figure.

Nor did The Times specify whether the businesses had been hit by Backoff specifically, or by other forms of point-of-sale malware, such as the "Kartosha" malware that infected all of Target Corporation's U.S. retail stores in the fall of 2013.

Point-of-sale (PoS) malware is designed to infect cash registers and PIN pads, card-swiping terminals often attached to cash registers. Data from credit and debit cards is encrypted almost immediately after the customer swipe, but for a brief moment it exists unencryped in a PIN pad's memory, or RAM.

Backoff and Kartosha are both "RAM scrapers" in that they copy card data as it fleetingly travels through the RAM, then transmit the stolen information to criminals who resell the card data in online forums.

Following the July 31 advisory, The UPS Store, a wholly owned subsidiary of United Parcel Service, examined its computer systems and discovered Backoff in about 1 percent of its retail stores, all of which are franchises. The UPS Store went public with the breach Wednesday (Aug. 20) and urged anyone who had used a credit or debit card in the affected stores since January to contact the company.

It's almost certain that many other companies' computer systems have also been infected by Backoff. It's also likely that many of those companies will never admit the intrusions.

Despite recommendations by information-security experts and federal authorities that full disclosure helps manage outbreaks, many companies fear that admitting data breaches will hurt business, damage reputations or affect stock prices. Target lost more than $100 million in the wake of its own data breach, and the company's chief executive lost his job.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Copyright 2014 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.