US Computer Emergency Response Team, in cooperation with the Secret Service and researchers at Trustwave’s Spiderlabs, have issued an alert about a newly identified variant of malware installed on point-of-sale (POS) systems that was used in a series of recent attacks by cyber criminals. Called “Backoff,” the malware shares characteristics with the one used to attack Target’s point of sale systems last year: it scrapes credit card data out of the infected computer’s memory. Until now, it was undetected by antivirus software; testing by researchers found it had a "zero percent detection rate" on commercial antivirus products.

POS machines are a big target for hackers, who use malware like Backoff to collect data from credit cards and other transaction information to either create fraudulent credit cards or sell the data. In many ways, the Backoff-based attacks were similar to the attack in 2011 on Subway franchises—hackers used remote desktop software left active on the machines to gain entry, either by brute-force password attacks or by taking advantage of a default password, and then installing the malware on the hacked system.

According to US-CERT, Backoff—which is Windows-specific malware—runs in the background watching memory for the “track” data from credit card swipes, which can be used to both obtain the account number on the card and to create fraudulent cards that can be used in ATMs and other point-of-sale systems. Backoff also has a keylogger function that records the key-presses on the infected computer. The malware installs a malicious stub in Windows Explorer that can reload the in-memory component if it crashes and communicates with the criminals’ command and control network—sending home captured credit card data and checking for malware updates.

Because of the way that it has been used thus far, Backoff is likely more of a threat to smaller retailers and franchises, who commonly use remote desktop software to allow business managers to connect in from another store or allow remote software support. But it could be used on a larger scale in the hands of a more sophisticated cybercrime ring.