UPS Store Malware Likely Hit Many Other Companies

Credit: Lolloj/ShutterstockCredit: Lolloj/Shutterstock

UPDATED 6:45 PM EDT Friday Aug. 22 with link to a DHS/USSS bulletin with more information.

The Backoff point-of-sale malware infection that hit 51 UPS Stores may be very widespread, the United States Computer Emergency Readiness Team (US-CERT) stated today (Aug. 22) in an alert.

"US-CERT is aware of Backoff malware compromising a significant number of major enterprise networks, as well as small and medium businesses," a statement posted on the US-CERT website read.

It urged "administrators and operators of Point-of-Sale systems" to reread the long advisory about Backoff jointly released July 31 by US-CERT, the Department of Homeland Security, the United States Secret Service and other agencies.

MORE: Best PC Antivirus Software 2014

The New York Times reported on its website that "more than 1,000 American businesses" had been affected by point-of-sale malware, but did not identify the provenance of that figure.

Nor did The Times specify whether the businesses had been hit by Backoff specifically, or by other forms of point-of-sale malware, such as the "Kartosha" malware that infected all of Target Corporation's U.S. retail stores in the fall of 2013.

Point-of-sale (PoS) malware is designed to infect cash registers and PIN pads, card-swiping terminals often attached to cash registers. Data from credit and debit cards is encrypted almost immediately after the customer swipe, but for a brief moment it exists unencryped in a PIN pad's memory, or RAM.

Backoff and Kartosha are both "RAM scrapers" in that they copy card data as it fleetingly travels through the RAM, then transmit the stolen information to criminals who resell the card data in online forums.

Following the July 31 advisory, The UPS Store, a wholly owned subsidiary of United Parcel Service, examined its computer systems and discovered Backoff in about 1 percent of its retail stores, all of which are franchises. The UPS Store went public with the breach Wednesday (Aug. 20) and urged anyone who had used a credit or debit card in the affected stores since January to contact the company.

It's almost certain that many other companies' computer systems have also been infected by Backoff. It's also likely that many of those companies will never admit the intrusions.

Despite recommendations by information-security experts and federal authorities that full disclosure helps manage outbreaks, many companies fear that admitting data breaches will hurt business, damage reputations or affect stock prices. Target lost more than $100 million in the wake of its own data breach, and the company's chief executive lost his job.

UPDATE: The Times' information may have originated with an advisory issued to businesses today by the Department of Homeland Security and the U.S. Secret Service that offers more detail than the concurrent US-CERT alert.

"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the 'Backoff' malware," the advisory reads in part. "Seven PoS system providers/vendors have confirmed that they have had multiple clients affected.

"Reporting continues on additional compromised locations, involving private-sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • Christopher1
    Companies should be REQUIRED to make intrusions like this public when they find them, so that people can properly gauge the risk of using those companies. I know that an attack like this is hard to impossible to prevent but..... I still want to know when it has happened.
  • dgingeri
    These guys have earned the wrath of the Secret Service. They will be hunted down now, there is no doubt. They'll be crucified even worse than Lulzsec. The Secret Service is even more capable than the FBI in investigation skills.
  • ddpruitt
    One has to wonder why the credit card info isn't encrypted in hardware before being transferred to RAM. It would eliminate a number of different attack vectors.