Backoff Point-of-Sale Malware Alert

Backoff Point-of-Sale Malware Alert


Backoff Point-of-Sale Malware Alert

A new version of PoS (Point-of-Sale) Malware, “Backoff,” has been connected to several recent PoS data breaches. Malicious actors are looking for remote desktop solutions such as: MS-RDP, Apple RDP, Splashtop, LogMeIn,, and other similar solutions. After finding these remote access solutions running they attempt to brute force the login user, giving them access to privileged accounts. Once they have privileged access they attempt to deploy the Backoff PoS malware and start the exfiltration of PCI data via encrypted traffic.


  • Ensure account setting lockout users after a specific number of failed login attempts within a given period of time.
    3 failed logins within 30 seconds.
  • Limit RDP application usage and privileged accounts to a few specific users.
  • Use strong passwords.
    9 or more characters, including at least 1 capital & lower case letter, 1 number, and a special character.
    Modified pass phrases are typically strong passwords.
  • Enforce 90 day password rotations.
  • Require two-factor authentication when using RDP or accessing payment processing networks.
  • Review all systems that have access to payment processing networks regularly for user accounts.
  • Segregate payment processing networks from all other networks and restrict access to only specific devices.
  • Use ACL’s to restrict access to any device that has access to PCI data and payment processing networks.
  • Use DLP (data leakage prevention) tools.
  • Ensure you are using an IDS/IPS that can detect anomalous behavior.
  • Ensure all AV (Anti-virus) programs are up to date, and that scans are being performed regularly.
  • Disable unused ports and services.

Systems Affected
Any device using RDP applications or payment processing networks.

Basic Components of the Exploit:

  • RDP scan
  • Brute Force of privileged Account
  • Deploy “Backoff” PoS mlaware
  • Exfiltrate PCI data

Alert Detection:

The Masergy Threat Intelligence Team will continue to release alerts on this vulnerability to all UES Customers as they become available for IDS/IPS Detection + Preventions Modules (DPM) and Vulnerability Scanning Modules (VSM).
We currently have the ability to detect and notify on various RDP based exploitation techniques.CST:BACKOFF-CNC
Possible check-in of the Backoff malware.
Backoff is a POS malware discovered in July 2014 that utilizes memory scraping to capture payment card details for point of sale machines.
Once the malware has captured the data, the data is then encrypted and ex-filtrated to a command and control server