Menu
The 'Backoff' malware linked to data breaches is spreading

The 'Backoff' malware linked to data breaches is spreading

A rising number of devices are connecting to Backoff-related infrastructure, Damballa says

The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa.

The company detected a 57 percent increase between August and September in devices infected with Backoff, which scrapes a computer's RAM for leftover credit card data after a payment card has been swiped, said Brian Foster, Damballa's CTO.

Damballa based its finding on data it collects from its ISP and enterprise customers, who use its traffic analysis products to detect malicious activity.

Damballa sees about 55 percent of internet traffic from North America, including DNS requests, though for privacy reasons it doesn't know the IP addresses of most of those computers, Foster said.

The company runs a Hadoop cluster at its Atlanta headquarters, where it analyzes the DNS requests and classifies them as good or potentially malicious by looking at the servers being contacted.

"We actually attribute the behaviors we see -- as well as the domain names and IP addresses that malware is looking up -- to threat actors and threat groups," Foster said.

"We track a set of domain characteristics and domain names that are related to Backoff, and it's looking at the volume of those lookups that shows us the increase."

The retail industry is struggling to contain attacks targeting payment card data, and RAM-scraping malware has hit big-name companies like Home Depot, Target and Dairy Queen. The Department of Homeland Security warned in August that as many as 1,000 enterprise and small-business networks may be infected with Backoff and not know it.

Damballa has greater visibility into the networks of companies that use its services, Foster said, enabling it to warn those that may be infected. For ISPs that use its services, Damballa can alert them that their customers may have been infected and leave it to the IPSs to pass along the message.

ISPs have become more active about notifying customers, he said. That's been spurred by a desire to avoid government regulation, especially among the larger ISPs, he said. They also want to ensure the performance of their networks, since they increasingly offer high-bandwidth entertainment services.

"They see security as an enabler for a lot of their other business practices," Foster said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityDamballa

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments