POS Malware: Review of the retail attacker

POS MalwareRetailers large and small are swarming with point-of-sale malware. Attackers have one goal: to steal customer credit card data.

POS malware is the prime suspect in major breaches at Home Depot, SuperValu, Target, and other large retailers. Even a New Orleans restaurant had 8,000 customer cards exposed in a POS attack.

To help keep your business and your clients safe, we want to review this threat and describe how it generally works.

3 types of POS malware

POS malware is designed for endpoint systems that have sales software and a card reader. It is often broken into three categories:

1. RAM scrapers / memory dumpers

POS systems are among the most popular targets for card thieves because they typically hold cardholder data for a moment before it is encrypted. This tiny window of opportunity is all a RAM scraper needs to grab the data from memory and send it to a log file.

RAM scrapers are the most prevalent type of POS malware today. Organizations can limit their exposure by detecting these attacks early, which makes security monitoring essential.

2. Network sniffers

Though somewhat out of vogue, network sniffers were a major concern before cardholder data was encrypted during internal transmission.

Today, PCI DSS requires companies to encrypt cardholder data during all transmissions, whether inside or outside the corporate network. This makes network sniffers a less-appealing weapon to thieves today.

3. Key loggers

Though considered by some to be a separate malware category of their own, key loggers are often used as part of popular POS malware packages.

The malware records keystrokes as they are entered in a terminal. Some even take screenshots and video to help attackers find the most relevant data.

Most popular POS malware

Backoff is one of the hottest POS threats in the news today. The Secret Service estimates that more than 1,000 businesses have been hit by this malware alone.

Backoff has four major capabilities (not all are included in every variant) :

1. Memory scraping
2. Keystroke logging
3. Command and control communication. This can be used to update the malware, install more malware, or have the compromised machine operate as part of a botnet.
4. Injection of a malicious stub into explorer.exe. This is for added persistence.

Other popular POS malware toolkits include:

  1. Trackr/Alina
  2. BlackPOS
  3. vSkimmer
  4. Dexter

What does a POS attack look like?

POS malware does not spread and deploy automatically like a worm. It must be tailored and installed directly by the attacker to be most effective.

Steps of a typical attack include:

Step #1. Breach the corporate network

POS systems are often segmented on a network and are not public-facing. This forces remote attackers to enter through the corporate network. Attackers look for weaknesses in external facing systems, perhaps brute-forcing a remote login system.

Remote administration utilities, such as Remote Desktop and pcAnywhere, are the most popular means of entry.

Step #2. Breach the cardholder data environment (CDE)

Attackers next must identify the CDE and gain access, thereby gaining access to POS systems. User credentials are typically required.

Attackers may receive credentials through keystroke logging, spear phishing, or by other means. However, many POS systems rely on default credentials that are common across all systems of the same type – which is a massive security flaw.

Step #3. Install malware

POS malware is often tailored to the target environment and rigorously tested to avoid detection and removal. Cardholder data scraped from the system’s memory is typically routed to a compromised server within the corporate network for aggregation in a log file.

Step #4. Exfiltrate data

The log file is encrypted and periodically sent to an external system, which can be a trusted third-party server compromised by the attacker. The transmission may occur as part of legitimate communications to avoid detection.

Stay tuned for our next post on how to prevent POS malware and attacks.


Related resources

Ransomware: Hello Critroni and Goodbye Cryptolocker

Top Threats: How to prevent Cryptolocker

PCI DSS for IT Providers – The rules and impact on MSPs and Resellers

Written by Calyptix

 - August 17, 2014

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram