Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

BackOff Not To Blame For GoodWill Breach

Rawpos, a "very low risk" infostealer, is responsible for the compromise of roughly 868,000 credit cards.

Despite the retail industry's new fervor over the Backoff malware, it was Rawpos, not Backoff, that is to blame for the breach at Goodwill retail stores, reported in July. Symantec gave Rawpos a risk rating of "very low" when they discovered the infostealer in February. Very low risk or not, Rawpos was used to compromise 330 of Goodwill's independently operated "member" stores in 20 US states, and exposed information on 868,000 credit cards, a Goodwill representative confirms.

Goodwill released details yesterday about the scope and nature of the breach, stating that "The investigation found no evidence of malware on any internal Goodwill systems... The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Twenty Goodwill members (representing about 10 percent of all stores) that use the same affected third-party vendor were impacted."

Goodwill is not releasing the name of the third-party vendor, but Goodwill director of public relations Lauren Lawson confirmed that it is a point-of-sale system provider. It must be a Windows-based POS system; Rawpos impacts Windows 7, Vista, XP, and 2000.

"The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014," yesterday's report states. "Authorities first contacted Goodwill about the breach on July 18, 2014."

Goodwill stated that it has received "a very limited number of reports" of fraudulent use of the card data compromised in the breach.

"We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again," Jim Gibbons, president and CEO of Goodwill Industries International said in the statement. "Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority."

The retail industry's main priority is still Backoff.

On August 27, in response to the spate of attacks on point-of-sale systems, the PCI Council -- the organization responsible for the creation and enforcement of the Payment Card Industry Data Security Standards -- released an advisory about the Backoff malware. The Council recommended that "merchants consider implementing PCI-approved point-of-interaction (POI) devices that support the secure reading and exchange (SRED) of data which encrypts data at the point of capture and would prevent exposure of clear-text data within the ECR or similar POS systems. Merchants should also consider implementing a PCI-approved point-to-point encryption (P2PE) solution which includes SRED devices and protects the data until received by the secure decryption facility."

PCI-approved devices and vendors can be found at pcisecuritystandards.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/8/2014 | 2:23:37 AM
POS Malware
PCI DSS has become a "Toothless Bulldog", whereby the clients relationship with the Security companies directly impacts their indepedence and ability to offer meaningful security recommendations that the Retailers have to comply with. As a QSA if you put forward a stringent set of recommendations on improving POS security or other vital aspects such as end-to-end encryption and full network segmentation, you may well be looking for a new customer in the near-future, and those firms who bend to the commercial pressures will continue to prosper.

Retailers are not being forced by the card providers to fix the underlying issues with POS systems, ie, old unsupported software, poor network architecture and monitoring, a lack of Virus protection, insecure POS software, and please dont let me comment on the general state of the AV Industry!

Retailers don't prioriotize more secure POS systems and Banks don't want to protect consumers because this will affect Shareholder returns. These factors are culminating in the losses of card data we see on this site week in and week out, like any skilled adversary they aim for the weakest link.
User Rank: Moderator
9/4/2014 | 6:25:40 PM
Discover alerted about this in March
Known MD5 hashes are listed in this blog post: j.mp/1o36s2E

2 of the 3 hashes from the post are listed in this Data Security Alert posted by Discover in March along with other useful indicators of compromise. They also stress the common entry point of poorly secured remote access solutions and provide the typical advice on how not to be a victim See j.mp/1unYs1i
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.