14 DAY TRIAL // Arbor Networks’ Arbor Security Engineering & Response Team (ASERT) has published its Threat Intelligence Brief 2014-6. The report analyzes point-of-sale (POS) malware and attack campaigns.
Experts highlight the fact that attacks targeted at POS systems have evolved a great deal over the past years.
Initially, cybercriminals relied on opportunistic attacks to steal credit and debit card data. However, they later moved on to memory-scraping POS botnets, and more recently to sophisticated custom malware created for highly targeted attacks.
Arbor has been monitoring several threats designed to target POS systems, including Dexter, Project Hook, Alina, Vskimmer, Chewbacca, JackPOS, BlackPOS, and others. The report covers some of these pieces of malware and provides details regarding the attacks they’ve been involved in, spreading mechanisms, and command and control (C&C) infrastructures.
Researchers have also stumbled upon what they call a “POS attackers’ toolkit.” The toolkit contains everything cybercriminals need to steal payment card data.
The threat intelligence brief also offers some information based on NetBIOS scan data provided by the Shadowserver Foundation. The data shows that it’s not difficult for cybercriminals to identify POS systems that they can target.
Experts have identified a total of 1,089 POS systems just by checking for ten default names. 68 of them have been found to be running Remote Desktop on TCP port 3389, and 20 of them were running VNC on TCP port 5900.
Researchers haven’t tested to see if these systems are vulnerable, but this demonstrates the fact that cybercriminals can easily identify potential targets.
The most notable targeted attacks are the ones aimed at Target, Schnucks, Neiman Marcus, and Aaron Brothers. Except for Target, whose systems were fully compromised for only around 19 days, the other organizations’ computers were under the control of cybercriminals for over 100 days.
“The longevity and extent of attack campaigns is a serious concern. In organizations with security teams and well managed network infrastructure, point of sale compromises have proliferated for months prior to detection,” Curt Wilson, a member of ASERT, notes.
“If attackers are able to launch long-running campaigns in such enterprise retail environments, one can conclude that many other organizations with less mature network and infrastructure management are also at serious risk.”
The complete ASERT Threat Intelligence Brief 2014-6 is available on Arbor Networks’ website. The report also contains useful advice on how to mitigate such attacks, including detecting malware activity over TOR and data exfiltration.