The latest big breach apparently occurred at the nonprofit retail thrift store operator Goodwill Industries International Inc. The culprit: a new strain of malware called Backoff. The breach, which came to light July 21, 2014, is part of a seemingly ever more frequent occurrence of compromises at national retailers. But if the mainstream media and consumers are adopting a complacent, “oh, another breach” mentality, security experts and the business community remain deadly serious about securing networks and mitigating attacks.
Once again, security investigative reporter Brian Krebs broke the story of the Goodwill breach on his blog site KrebsonSecurity. Krebs wrote in the July 21 post that unnamed sources within the financial services industry said multiple Goodwill locations had been breached and that an unknown number of credit and debit cards had been compromised.
Goodwill informed Krebs that it had only learned about the breach on Fri., July 18, when a payments industry fraud investigative unit and federal authorities alerted the nonprofit organization of the possible compromise. Krebs’ sources said Goodwill stores in 21 states, including California, Colorado, Minnesota and New Jersey, may have been affected.
Goodwill operates a network of 165 independent, community-based centers in the United States and Canada to offer job training and other services. The nonprofit generates revenue for its programs through 2,900 retail locations that sell donated goods, such as clothing and electronics, to primarily low-income consumers.
Krebs reported that the compromised cards had been used at Goodwill stores, but that the actual fraudulent charges on those cards occurred at big box retailers and supermarket chains. “This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s,” he wrote.
The Backoff malware
On July 31, 2014, the United States Computer Emergency Readiness Team (US-Cert), an organization operating within the U.S. Department of Homeland Security, issued an alert about the new Backoff malware attack vector. Working in collaboration with the National Cybersecurity and Communications Integration Center, United States Secret Service, Financial Sector Information Sharing and Analysis Center and Trustwave’s Spiderlabs security research division, US-Cert said Backoff is associated with several POS data breach investigations, and that “fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.”
The alert said Backoff has existed since October 2013 and that the malware employs memory scraping and keylogging to lift payment data from networks. Fraudsters then commonly create counterfeit cards using that stolen data and send out individuals known as “mules” to purchase goods with the fake cards and, in the case of debit cards, drain bank accounts via cash withdrawals at ATMs.
Into the breach
Opinions of security researchers on the Goodwill breach center on the insidious nature of modern fraud, where fraudsters are slipping past business’ porous defenses and planting malware on networks to steal data.
“Breaches are happening more often, and from the inside,” said Eric Chiu, President and co-founder of HyTrust Inc. “The reason for this is that attackers look just like any other employee once the person is on the network, giving them the ability to siphon off sensitive or confidential data without being detected. To achieve this goal, attackers are posing as employees and IT administrators by stealing credentials or looking for other ways in, such as remote access systems.”
Fraudsters are able to circumvent defenses largely because businesses fail to implement controls on how employees access networks remotely. Neohapsis Security Consultant Joe Schumacher said, “For limiting the risk of compromise with this malware, organizations should educate employees and provide an approved method for remote access.”
In fact, fraudsters are effectively targeting employees that have admin-level access to systems. “What we see are end users who have had their computers compromised by malware,” said Jerome Segura, Senior Security Researcher at Malwarebytes Labs. “But they aren’t just your typical user, in that some of them have access to corporate networks. This makes them a very valuable target for hackers that may realize their custom piece of malware has just struck a gold mine.”
Better fraud fighting on the way?
Ray Rothrock, Chief Executive Officer at enterprise cyber security company RedSeal Networks, said the security and retail industries are keen on fighting fraud, even if a modicum of complacency has set in with consumers and the mass media.
“I guarantee if you’re a CEO, you are worried about breaches,” Rothrock said. “In fact, a lot of people these days are being asked by their boards and senior management, assume we will be breached because we will be. What’s your plan of response and remediation for it?”
The Goodwill breach is a reminder of why vigilance and planning are so important today. “It’s a shame,” Rothrock said. “Goodwill was not exactly a Wall Street firm. Goodwill has a lot less to lose than a Wall Street firm financially, but a whole lot to lose from a brand point of view. So I find it an unfortunate state of affairs. But Goodwill is like every other organization: they have to protect this information about their customers, and they didn’t.”
Rothrock said small and midsize merchants can take three steps to secure their networks. The first is to ensure the business is running the latest software and that the software is up to date with all the necessary patches to plug any holes in the network architecture. Next, find out where the business’s core data is stored on the network, how it is protected, and the pathways that allow the data to get from point A to point B. Finally, businesses should know who within and without their organizations has access to networks.
While fraud seems to be growing in intensity and more businesses are being affected by it, Rothrock is positive the combined efforts to counter fraud will eventually do a better job in containing fraud as security evolves to meet the problem. “It’ll get better just as buildings have gotten better,” he said. “We have sprinkler systems in buildings now. We didn’t have then 50 years ago. We get better. We learn. And I think the same will happen in electronic security and data security.”