14 DAY TRIAL // Recent cybercriminal activity has shown that crooks have started to be more organized and pick their victims for maximum efficiency of their attacks aiming at the data processed through the point-of-sale (POS) systems of major retailers in the United States.
Carefully planted in the payment terminals, just two malware families managed to compromise financial information of almost 100 million customers.
A third malware type has affected more than 1,000 businesses this year, and according to reports from security researchers, new variants are developed and the number of infections reached new heights.
Crooks target major retailers with POS malware
BlackPOS took aim at Target Corporation and jacked about 40 million unique records of credit and debit cards. The attack lasted for less than a month and was discovered on December 15, 2013; according to the company’s response, the malware had been collecting information since November 27.
At the beginning of September 2014, Home Depot, the largest home improvement retailer in the United States, was alerted that their payment processing system had been compromised. The company acknowledged the incident, and later on, the results of the investigation revealed that card data of 56 million customers had been exposed.
Initially, it was believed that BlackPOS, the same malware used on Target, was leveraged by the cybercriminals. However, reports from researchers who analyzed the sample showed evidence of a different piece, dubbed FrameworkPOS, that shared some similarities with BlackPOS.
After dissecting the malware, researchers reached the conclusion that the cybercriminals behind it were knowledgeable about the targeted infrastructure.
Investigation of the incident showed that the intrusion had occurred in April and the weak spot was not Home Depot, but a third-party, whose credentials were compromised and used to enter Home Depot’s network.
Versatile POS threat affects thousands of businesses
A third malware family hitting retailers this year is Backoff POS. The amount of compromised financial data is unknown, but thousands of retail locations have been affected. Unlike the previous two, it is not used in targeted attacks and can run on different POS units.
Multiple variants have been discovered since the Department of Homeland Security (DHS) issued an alert in August saying that Backoff was responsible for attacks on more than 1,000 businesses across the US.
The malware has left a trail of victims that includes Dairy Queen, which confirmed that the threat impacted nearly 400 of its stores.
UPS delivery service has also been affected by this threat, having the POS units at 51 locations compromised, in a timeframe spanning from January 2014 until August 2014.
Backoff seems to be popular among cybercriminals, as security experts discovered at least eight strains by the end of August. In more recent reports, Fortinet informed of a new variant that included detection and analysis evasion techniques.
Backoff could be the POS malware of choice this holiday season
Out of the three POS malware families, it appears that Backoff recorded the most activity, the number of infections on its account growing through the third quarter of the year and maintaining the same trend at the beginning of November.
It is difficult to speculate whether this malware will be the one giving most trouble to researchers this year or if it would make the largest number of victims this holiday shopping season.
However, this possibility exists, especially since there are already so many variations in the wild, suggesting that multiple threat actors work on modifying its code.
On the other hand, targeted attacks are not to be excluded either. Cybercriminals scan for weak systems and can probe them through botnets, gathering information about the mark.
A new POS malware strain, derived from one of the aforementioned three, or a totally new family, may emerge.
All we can do is hope that retailers have learned their lessons this year and took additional security measures to lower the risk of malicious activity on their systems.
Cyphort analyzed different POS malware and gathered technical data on their behavior in a report published on November 11.