Security Response is aware of an alert from US-CERT regarding a threat they are calling Backoff. This threat family is reported to target Point of Sale machines with the purpose of logging key strokes and scraping memory for data (like credit card info) and then exfiltrating the data to the attacker.
Symantec Security Response is currently investigating this threat family and is working to obtain samples that were mentioned in the IOC section of the CERT alert. All detections for threat files have been, or will, be mapped to: Trojan.Backoff
Information on US-CERT alert:
The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
SEP for XP Embedded:
SSEP 5.1 for XPE is reaching its End of Support Life on 10/15/2014 but is still in use on a significant number of PoS devices around the world. This legacy product only updates its definitions once per week- and uses a def set and naming convention different from SEP 12.1
We recommend that customers still using SSEP 5.1 for XPE should migrate to SEP 12.1 for more complete coverage.
• US-CERT Alert:
• Windows XP Embedded Support in Symantec Endpoint Protection (SEP) 11 vs. Sygate Symantec Endpoint Protection (SSEP) 5.1
• Symantec Endpoint Protection support for embedded operating systems
• Trojan Backoff: A new point-of-sale threat emerges
8-28 - Updated to include Response Blog and IPS defs