Backoff is used by criminals to gather valuable track2 data from credit cards. Track 2 data is information contained in the card's magnetic stripe and accessed by credit card checkers and point-of-sale (POS) magnetic stripe readers. The information in track 2 includes the primary account number and encrypted personal identification number (PIN). That data is lucrative for cybercriminals because it can be used used to create cloned credit cards.
The malware is installed via hacked remote desktop-type applications that are often used to configure POS systems. Attackers gain entrance to these accounts by brute force attacks. Once installed, Backoff is hard to detect. The malware uses RAM scraping to find track 2 data as it is introduced to the system, while it has not yet been encrypted. The data is then sent to remote computers to be sold on underground websites.
Backoff capabilities include:
- Scraping memory for track 2 data.
- Logging keystrokes.
- Command & control (C&C) communication.
- Injecting malicious stub into explorer.exe.
United States Secret Service estimated that Backoff had affected over 1000 businesses. A variant of Backoff was used in a massive Target breach in late 2013, which compromised the data of 70 million individuals.