Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

BackOff Not To Blame For GoodWill Breach

Rawpos, a "very low risk" infostealer, is responsible for the compromise of roughly 868,000 credit cards.

Despite the retail industry's new fervor over the Backoff malware, it was Rawpos, not Backoff, that is to blame for the breach at Goodwill retail stores, reported in July. Symantec gave Rawpos a risk rating of "very low" when they discovered the infostealer in February. Very low risk or not, Rawpos was used to compromise 330 of Goodwill's independently operated "member" stores in 20 US states, and exposed information on 868,000 credit cards, a Goodwill representative confirms.

Goodwill released details yesterday about the scope and nature of the breach, stating that "The investigation found no evidence of malware on any internal Goodwill systems... The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Twenty Goodwill members (representing about 10 percent of all stores) that use the same affected third-party vendor were impacted."

Goodwill is not releasing the name of the third-party vendor, but Goodwill director of public relations Lauren Lawson confirmed that it is a point-of-sale system provider. It must be a Windows-based POS system; Rawpos impacts Windows 7, Vista, XP, and 2000.

"The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014," yesterday's report states. "Authorities first contacted Goodwill about the breach on July 18, 2014."

Goodwill stated that it has received "a very limited number of reports" of fraudulent use of the card data compromised in the breach.

"We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again," Jim Gibbons, president and CEO of Goodwill Industries International said in the statement. "Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority."

The retail industry's main priority is still Backoff.

On August 27, in response to the spate of attacks on point-of-sale systems, the PCI Council -- the organization responsible for the creation and enforcement of the Payment Card Industry Data Security Standards -- released an advisory about the Backoff malware. The Council recommended that "merchants consider implementing PCI-approved point-of-interaction (POI) devices that support the secure reading and exchange (SRED) of data which encrypts data at the point of capture and would prevent exposure of clear-text data within the ECR or similar POS systems. Merchants should also consider implementing a PCI-approved point-to-point encryption (P2PE) solution which includes SRED devices and protects the data until received by the secure decryption facility."

PCI-approved devices and vendors can be found at pcisecuritystandards.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/8/2014 | 2:23:37 AM
POS Malware
PCI DSS has become a "Toothless Bulldog", whereby the clients relationship with the Security companies directly impacts their indepedence and ability to offer meaningful security recommendations that the Retailers have to comply with. As a QSA if you put forward a stringent set of recommendations on improving POS security or other vital aspects such as end-to-end encryption and full network segmentation, you may well be looking for a new customer in the near-future, and those firms who bend to the commercial pressures will continue to prosper.

Retailers are not being forced by the card providers to fix the underlying issues with POS systems, ie, old unsupported software, poor network architecture and monitoring, a lack of Virus protection, insecure POS software, and please dont let me comment on the general state of the AV Industry!

Retailers don't prioriotize more secure POS systems and Banks don't want to protect consumers because this will affect Shareholder returns. These factors are culminating in the losses of card data we see on this site week in and week out, like any skilled adversary they aim for the weakest link.
User Rank: Moderator
9/4/2014 | 6:25:40 PM
Discover alerted about this in March
Known MD5 hashes are listed in this blog post: j.mp/1o36s2E

2 of the 3 hashes from the post are listed in this Data Security Alert posted by Discover in March along with other useful indicators of compromise. They also stress the common entry point of poorly secured remote access solutions and provide the typical advice on how not to be a victim See j.mp/1unYs1i
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.