Tech Support

Alert: POS Devices Targets of "Backoff" Malware

Homeland SecurityUS-CERT issued an alert earlier today that a new malware threat, dubbed "Backoff," was discovered targeting point-of-sale devices.  "Backoff" variants have been traced back to October 2013 and is responsible for uncovering data and keylogging.  The points of entry for suspects are remote desktop solutions.  Once the remote access application is located, suspects brute force the login.  Now inside the system, the malware is deployed on the POS system and customer payment data is exfiltrated.

This is just the latest in a string of attacks that have targeted Remote Desktop Protocol with brute force.  As part of their advisory, US-CERT included a list of strategies for remote access, network and POS security.  Many of their recommendations for remote desktop access are available in more secure solutions, such as Netop Remote Control, straight out of the box.

The US-CERT remote desktop access security strategy recommendations:

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  • Limit the number of users and workstation who can log in.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  • Require two-factor authentication (2FA) for remote desktop access.
  • Install a Remote Desktop Gateway to restrict access.
  • Add an extra layer of authentication and encryption by tunneling your remote desktop through IPSec, SSH or SSL.
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

At the time the advisory was released, the "Backoff" malware was not detectable by most anti-virus solutions.  The variants are quickly being added, however; companies are advised to maintain up-to-date anti-virus engines and signatures.  In the interim, applying indicators of compromise can be applied (a listing of IOCs is included in the advisory).


November 28, 2017 at 1:23 PM
In "Financial Services", "Financial Technology", "Government Technology", "Health Technology", "POS", "Remote Support", "Customer Service", "GDPR Compliance", "Industrial Technology", "Retail Technology"
November 16, 2017 at 3:16 PM
In "Financial Services", "Financial Technology", "Government Technology", "Health Technology", "POS", "Remote Support", "Network Security", "Customer Service", "GDPR Compliance", "Industrial Technology", "Retail Technology"
August 9, 2017 at 4:23 AM
In "POS", "remote vendor access", "Remote Support", "Secure remote access", "Network Security"

Subscribe to Email Updates


Birkerød, DK
Portland, OR, US
Chicago, IL, US
Bucharest, RO

Americas: +1 866 725 7833
Worldwide: +45 4590 25 25

Our Tweets