POS Malware, Intercepting Breached Terminals
Several high-profile retail chains have been caught up in a wave of cyber attacks targeting their POS systems, sending ripples throughout the sector.
Most of the intrusions involve malware infected in the POS tills to capture credit card data while it resides in the temporary memory. Adversaries then use remote access software to extract payment card information.
POS malware have a range of attack capabilities, including the following:
- Botnets (brute-force): A range of IP addresses are scanned by the botnet in POS systems that allow Remote Desktop Protocol (RDP) connections. After detecting a connection, the botnet tries to access the infected system with credentials (passwords and usernames) from a list. Upon successful access, it transfers the information to a hacker-controlled Command-and-Control server.
- Keylogging: Keylogging software is often a part of the POS malware. Hackers use it to record keystrokes entered by retail employees on POS terminals. Keylogging software can be used to take screenshots, and some may even record videos, to provide hackers with related data.
- RAM scrapping: The most common capability of POS malware – payment card information criminals use memory dumpers/ RAM scarpers to create a small window of opportunity to seek information of credit cards and transfer it to a log file, before all the data gets encrypted.
Hackers, when equipped with POS malware, turn their attention to POS terminals. These terminals may not have direct connectivity to the internet, but will have some connection to the retailer’s corporate network. Hackers, as a result, will target the corporate network first. They will exploit vulnerabilities in external facing systems using techniques such as SQL injection on the web server. After accessing the network, they will inject malware and use steps to make the activity goes undetected. These steps include tampering with security implementations or scrubbing log files. Hackers may also mimic official communication protocols to avoid detection.
Highlighted POS malware
Since POS systems are connected to the corporate network and their security implementations are weak-to-average, they are vulnerable to point-of-sale malware. The following is a list of POS malware types highlighted in retail breach incidents:
Hackers use this malware to infect Windows-based POS systems stocked with card readers. Criminals discover the point-of-sale terminals through internet scans, and then exploit unpatched vulnerabilities of weak remote administration credentials. The malware scans system processes to exploit Track 2 or Track 1 formatted data, and stores it in an ‘output.txt’ file, before uploading it to a hacker-controlled serfver via FTP. BlackPOS has been detected in data breaches at Home Depot and Target.
Over 1,000 businesses in the US have been a victim of this malware. The new name of this malware is ‘ROM’, and its newer version has upgrades to encrypt connections between infected POS systems and C2 servers controlled by adversaries, according to a report. Backoff malware affected the chain Dairy Queen. The latest version is also challenging to detect despite security implementations.
Researchers at McAfee first detected vSkimmer. The botnet-like malware infects Windows-based POS machines to steal payment card information. It enters the ‘iexplorer.exe’ file and then stays active in the registry key by rewriting. Subsequently, it steals information and transfers it to a third-party server. If hackers are unable to enter the corporate network, the malware also has the capability of offline data capture via a USB connected to the POS machine.
The malware, based on a report by Seculert, infects Windows-based POS machines and then scraps payment card information as a user enters it on the infected machine, in a way that is different from phishing attempts. And by analyzing memory dumps of specific process, it searches for Track 1 and Track 2 data to redirect the information to a compromised server.
Retailers need to reassess their security implementations according to the Payment Card Industry (PCI) Data Security Standards. Additionally, they should take into account the following measures to reduce the vulnerability of their POS terminals:
1. Secure the corporate network
It’s important to check if the firewall is properly configured and make sure only authorized IP addresses and services are connected, particularly for outbound firewalls. That’s because cyber criminals often exploit misconfiguration of entry points that allow ports to communicate with an IP on the internet.
Retailers can also segment the payment processor network, while making strict access control lists and applying them on router configuration to filter out malicious traffic. Lastly, they should ensure the payment processing environment responsible for storing payment card information is secure.
2. Leverage threat intelligence feeds
Malware can sometimes go undetected despite security being sophisticated. Massive’s global feed will provide retailers immediate notification of infected POS terminals as well as Track 2 data, full XML data, profiles of vulnerable merchants and extracted databases from intricate POS terminals.
The information is collected through raw data interception. If your POS system is breached, the feed will also intercept what consumer and financial information is being extracted. As a result, you can learn of a breach by seeing the data targeted through the criminal’s eyes.
3. Secure the register
Make sure the software installed on the cash and point-of-sale register is up to date. Programs such as anti-virus and file integrity monitoring must be installed, and strong passwords must be used for all these programs.
A checksum should also be performed to detect malicious files. Unapproved processes can be prevented with application whitelisting. Checksum would also help disable unnecessary services and null sessions.
Retailers need to follow recommended security implementations and update themselves with POS malware landscape to protect payment card information and, more importantly, their reputation.