Backoff Point-of-Sale Targeted Malware

Point-of-Sale breaches are reaching epidemic levels. The US Computer Emergency Readiness Team issued an alert on July 31st stating that the Backoff Point-of-Sale Malware was witnessed on a least three separate forensics investigations. The US Secret Service estimates over 1,000 businesses have been affected. The Backoff family of malware used in these attacks has so far had low to zero anti-virus detection rates and even fully updated anti-virus engines on fully patched computers are missing this particularly malicious malware.

If you think you have been compromised call the Secret Service's field office at 877-242-3375, the National Cybersecurity and Communications Integration Center at 888-282-0870 or contact US-CERT by email SOC@US-CERT.GOV

Tanium’s IOC Funnel delivers rapid indicator-based threat detection and response for the retail industry and other large enterprises with up to hundreds of thousands of endpoints. New, out of the box capabilities support subscription to cyber threat intelligence feeds like IOCBucket so security professionals can stay up to date on the latest threats like Backoff and its variants. IOC Funnel can be scheduled to scan for threats automatically, adding new IOCs as they become available or supporting in house built IOCs in a wide range of formats. IOCs can be shared among teams, customized, packaged, prioritized and scheduled for execution.  Targeted IOCs can automatically run against new endpoints as they come online or exceed risk thresholds. Paired with the Tanium Platform, users gain immediate visibility into threats across their enterprise and they can quickly seize control for remediation or deeper analysis. Tanium can even take action automatically in response to threats.

To use Tanium’s IOC Funnel to hunt the entire Backoff Point-of-Sale family of malware across your enterprise start by adding the IOC Bucket stream.  Within Tanium IOC Funnel click on the Settings menu item and click on IOC Streams…

Click on the Add Stream button and enter the IOC stream URL.


After clicking the Add button you will see the feed available.  Once you click on the feed you’ll see the available IOCs to download.


Once the Backoff POS malware IOC is downloaded you can hunt the malware across your enterprise by initiating a detect from the Tanium IOC Funnel.  If any results are found they will be displayed to you by endpoint name under the Compromised tab.


Once you scan your enterprise for the Backoff Point-of-Sale malware you want to protect your enterprise by detecting this compromise in the future.  This can be done by scheduling the Tanium IOC Funnel to do a detect of the Backoff Point-of-Sale malware across your enterprise once an hour.

From the Settings menu, click Schedule…  This will open the Evaluation Scheduler.  To add a scheduled detection click the New button.  In the Scheduled Detections window prompt provide a name, the target group of endpoints to scan, a scan interval as well as which IOCs to scan.


If you would like more information or help on getting and using Tanium IOC Funnel to protect your enterprise please contact your TAM or send a note to

Have more questions? Submit a request