Menu
The 'Backoff' malware linked to data breaches is spreading

The 'Backoff' malware linked to data breaches is spreading

A rising number of devices are connecting to Backoff-related infrastructure, Damballa says

The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa.

The company detected a 57 percent increase between August and September in devices infected with Backoff, which scrapes a computer's RAM for leftover credit card data after a payment card has been swiped, said Brian Foster, Damballa's CTO.

Damballa based its finding on data it collects from its ISP and enterprise customers, who use its traffic analysis products to detect malicious activity.

Damballa sees about 55 percent of internet traffic from North America, including DNS requests, though for privacy reasons it doesn't know the IP addresses of most of those computers, Foster said.

The company runs a Hadoop cluster at its Atlanta headquarters, where it analyzes the DNS requests and classifies them as good or potentially malicious by looking at the servers being contacted.

"We actually attribute the behaviors we see -- as well as the domain names and IP addresses that malware is looking up -- to threat actors and threat groups," Foster said.

"We track a set of domain characteristics and domain names that are related to Backoff, and it's looking at the volume of those lookups that shows us the increase."

The retail industry is struggling to contain attacks targeting payment card data, and RAM-scraping malware has hit big-name companies like Home Depot, Target and Dairy Queen. The Department of Homeland Security warned in August that as many as 1,000 enterprise and small-business networks may be infected with Backoff and not know it.

Damballa has greater visibility into the networks of companies that use its services, Foster said, enabling it to warn those that may be infected. For ISPs that use its services, Damballa can alert them that their customers may have been infected and leave it to the IPSs to pass along the message.

ISPs have become more active about notifying customers, he said. That's been spurred by a desire to avoid government regulation, especially among the larger ISPs, he said. They also want to ensure the performance of their networks, since they increasingly offer high-bandwidth entertainment services.

"They see security as an enabler for a lot of their other business practices," Foster said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityDamballa

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments