Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

BackOff Not To Blame For GoodWill Breach

Rawpos, a "very low risk" infostealer, is responsible for the compromise of roughly 868,000 credit cards.

Despite the retail industry's new fervor over the Backoff malware, it was Rawpos, not Backoff, that is to blame for the breach at Goodwill retail stores, reported in July. Symantec gave Rawpos a risk rating of "very low" when they discovered the infostealer in February. Very low risk or not, Rawpos was used to compromise 330 of Goodwill's independently operated "member" stores in 20 US states, and exposed information on 868,000 credit cards, a Goodwill representative confirms.

Goodwill released details yesterday about the scope and nature of the breach, stating that "The investigation found no evidence of malware on any internal Goodwill systems... The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Twenty Goodwill members (representing about 10 percent of all stores) that use the same affected third-party vendor were impacted."

Goodwill is not releasing the name of the third-party vendor, but Goodwill director of public relations Lauren Lawson confirmed that it is a point-of-sale system provider. It must be a Windows-based POS system; Rawpos impacts Windows 7, Vista, XP, and 2000.

"The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014," yesterday's report states. "Authorities first contacted Goodwill about the breach on July 18, 2014."

Goodwill stated that it has received "a very limited number of reports" of fraudulent use of the card data compromised in the breach.

"We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again," Jim Gibbons, president and CEO of Goodwill Industries International said in the statement. "Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority."

The retail industry's main priority is still Backoff.

On August 27, in response to the spate of attacks on point-of-sale systems, the PCI Council -- the organization responsible for the creation and enforcement of the Payment Card Industry Data Security Standards -- released an advisory about the Backoff malware. The Council recommended that "merchants consider implementing PCI-approved point-of-interaction (POI) devices that support the secure reading and exchange (SRED) of data which encrypts data at the point of capture and would prevent exposure of clear-text data within the ECR or similar POS systems. Merchants should also consider implementing a PCI-approved point-to-point encryption (P2PE) solution which includes SRED devices and protects the data until received by the secure decryption facility."

PCI-approved devices and vendors can be found at pcisecuritystandards.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/8/2014 | 2:23:37 AM
POS Malware
PCI DSS has become a "Toothless Bulldog", whereby the clients relationship with the Security companies directly impacts their indepedence and ability to offer meaningful security recommendations that the Retailers have to comply with. As a QSA if you put forward a stringent set of recommendations on improving POS security or other vital aspects such as end-to-end encryption and full network segmentation, you may well be looking for a new customer in the near-future, and those firms who bend to the commercial pressures will continue to prosper.

Retailers are not being forced by the card providers to fix the underlying issues with POS systems, ie, old unsupported software, poor network architecture and monitoring, a lack of Virus protection, insecure POS software, and please dont let me comment on the general state of the AV Industry!

Retailers don't prioriotize more secure POS systems and Banks don't want to protect consumers because this will affect Shareholder returns. These factors are culminating in the losses of card data we see on this site week in and week out, like any skilled adversary they aim for the weakest link.
User Rank: Moderator
9/4/2014 | 6:25:40 PM
Discover alerted about this in March
Known MD5 hashes are listed in this blog post: j.mp/1o36s2E

2 of the 3 hashes from the post are listed in this Data Security Alert posted by Discover in March along with other useful indicators of compromise. They also stress the common entry point of poorly secured remote access solutions and provide the typical advice on how not to be a victim See j.mp/1unYs1i
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.