Retailers large and small are swarming with point-of-sale malware. Attackers have one goal: to steal customer credit card data.
To help keep your business and your clients safe, we want to review this threat and describe how it generally works.
3 types of POS malware
POS malware is designed for endpoint systems that have sales software and a card reader. It is often broken into three categories:
1. RAM scrapers / memory dumpers
POS systems are among the most popular targets for card thieves because they typically hold cardholder data for a moment before it is encrypted. This tiny window of opportunity is all a RAM scraper needs to grab the data from memory and send it to a log file.
RAM scrapers are the most prevalent type of POS malware today. Organizations can limit their exposure by detecting these attacks early, which makes security monitoring essential.
2. Network sniffers
Though somewhat out of vogue, network sniffers were a major concern before cardholder data was encrypted during internal transmission.
Today, PCI DSS requires companies to encrypt cardholder data during all transmissions, whether inside or outside the corporate network. This makes network sniffers a less-appealing weapon to thieves today.
3. Key loggers
Though considered by some to be a separate malware category of their own, key loggers are often used as part of popular POS malware packages.
The malware records keystrokes as they are entered in a terminal. Some even take screenshots and video to help attackers find the most relevant data.
Most popular POS malware
Backoff is one of the hottest POS threats in the news today. The Secret Service estimates that more than 1,000 businesses have been hit by this malware alone.
Backoff has four major capabilities (not all are included in every variant) :
1. Memory scraping
2. Keystroke logging
3. Command and control communication. This can be used to update the malware, install more malware, or have the compromised machine operate as part of a botnet.
4. Injection of a malicious stub into explorer.exe. This is for added persistence.
Other popular POS malware toolkits include:
What does a POS attack look like?
POS malware does not spread and deploy automatically like a worm. It must be tailored and installed directly by the attacker to be most effective.
Steps of a typical attack include:
Step #1. Breach the corporate network
POS systems are often segmented on a network and are not public-facing. This forces remote attackers to enter through the corporate network. Attackers look for weaknesses in external facing systems, perhaps brute-forcing a remote login system.
Remote administration utilities, such as Remote Desktop and pcAnywhere, are the most popular means of entry.
Step #2. Breach the cardholder data environment (CDE)
Attackers next must identify the CDE and gain access, thereby gaining access to POS systems. User credentials are typically required.
Attackers may receive credentials through keystroke logging, spear phishing, or by other means. However, many POS systems rely on default credentials that are common across all systems of the same type – which is a massive security flaw.
Step #3. Install malware
POS malware is often tailored to the target environment and rigorously tested to avoid detection and removal. Cardholder data scraped from the system’s memory is typically routed to a compromised server within the corporate network for aggregation in a log file.
Step #4. Exfiltrate data
The log file is encrypted and periodically sent to an external system, which can be a trusted third-party server compromised by the attacker. The transmission may occur as part of legitimate communications to avoid detection.
Stay tuned for our next post on how to prevent POS malware and attacks.