Retailers large and small are swarming with point-of-sale malware. Attackers have one goal: to steal customer credit card data.
POS malware is the prime suspect in major breaches at Home Depot, SuperValu, Target, and other large retailers. Even a New Orleans restaurant had 8,000 customer cards exposed in a POS attack.
To help keep your business and your clients safe, we want to review this threat and describe how it generally works.
POS malware is designed for endpoint systems that have sales software and a card reader. It is often broken into three categories:
POS systems are among the most popular targets for card thieves because they typically hold cardholder data for a moment before it is encrypted. This tiny window of opportunity is all a RAM scraper needs to grab the data from memory and send it to a log file.
RAM scrapers are the most prevalent type of POS malware today. Organizations can limit their exposure by detecting these attacks early, which makes security monitoring essential.
Though somewhat out of vogue, network sniffers were a major concern before cardholder data was encrypted during internal transmission.
Today, PCI DSS requires companies to encrypt cardholder data during all transmissions, whether inside or outside the corporate network. This makes network sniffers a less-appealing weapon to thieves today.
Though considered by some to be a separate malware category of their own, key loggers are often used as part of popular POS malware packages.
The malware records keystrokes as they are entered in a terminal. Some even take screenshots and video to help attackers find the most relevant data.
Backoff is one of the hottest POS threats in the news today. The Secret Service estimates that more than 1,000 businesses have been hit by this malware alone.
Backoff has four major capabilities (not all are included in every variant) :
1. Memory scraping
2. Keystroke logging
3. Command and control communication. This can be used to update the malware, install more malware, or have the compromised machine operate as part of a botnet.
4. Injection of a malicious stub into explorer.exe. This is for added persistence.
Other popular POS malware toolkits include:
POS malware does not spread and deploy automatically like a worm. It must be tailored and installed directly by the attacker to be most effective.
Steps of a typical attack include:
POS systems are often segmented on a network and are not public-facing. This forces remote attackers to enter through the corporate network. Attackers look for weaknesses in external facing systems, perhaps brute-forcing a remote login system.
Remote administration utilities, such as Remote Desktop and pcAnywhere, are the most popular means of entry.
Attackers next must identify the CDE and gain access, thereby gaining access to POS systems. User credentials are typically required.
Attackers may receive credentials through keystroke logging, spear phishing, or by other means. However, many POS systems rely on default credentials that are common across all systems of the same type – which is a massive security flaw.
POS malware is often tailored to the target environment and rigorously tested to avoid detection and removal. Cardholder data scraped from the system’s memory is typically routed to a compromised server within the corporate network for aggregation in a log file.
The log file is encrypted and periodically sent to an external system, which can be a trusted third-party server compromised by the attacker. The transmission may occur as part of legitimate communications to avoid detection.
Stay tuned for our next post on how to prevent POS malware and attacks.
Ransomware: Hello Critroni and Goodbye Cryptolocker
Top Threats: How to prevent Cryptolocker
PCI DSS for IT Providers – The rules and impact on MSPs and Resellers
