14 DAY TRIAL // Credit and debit card data is what cybercriminals are after these days and there are plenty of ways to get it, but with thousands of transactions processed by point-of-sale (PoS) systems of large retailers on a daily basis, the payment terminals make for a prime target.
Point-of-sale terminals read the information from the magnetic stripe (magstripe) of a credit or debit card when it is swiped through. The information is then either sent directly to the bank of the retailer, or to a back-of-house (BoH) server that gathers card data from multiple PoS systems and delivers it to a payment processing service.
Regardless of the method used to handle the transactions, an authorization message needs to be returned to the PoS system for the purchase to be accepted; the entire communication is encrypted.
Malware designed for this type of payment systems seek to collect the information on the card that can be used for online purchases, and if the details on the magstripe (Track 1 and Track 2) are also taken, cards can be cloned and used in brick-and-mortar stores.
Infecting PoS systems is a trend on the rise many security experts warned about towards the end of last year, especially since retailer Target reported it suffered a breach that led to the loss of card data information of about 40 million customers.
The cybercriminals who compromised the Target PoS systems on November 27, 2013, used specific malware that would steal the card information from the memory of the system, where it is not encrypted before being sent securely for processing.
This method, called RAM scraping, is not new. Dexter, one PoS malware relying on the same memory scraping method for stealing data, was discovered back in 2012, and its code has been leaked at one point, giving birth to several variants, StarDust and Revolution being considered subsequent versions of the first Dexter release.
Kaptoxa (slang for “potato” in Russian), a malware that later changed its name to the better known BlackPOS, is believed to have been employed in the Target data breach and has been on sale on underground forums for some time.
Apart from these two, other malicious tools exist, specifically designed for stealing the card data from the memory of PoS systems. Alina is yet another solution of the same malware breed, having several variants and versions crooks can leverage.
Lacking complexity, ChewBacca malware managed to steal card data from the RAM of the infected PoS systems of dozens of retailers in more than 10 countries, the US, Russia, Australia and Canada among them, since October 2013.
Another PoS malware family, discovered at the beginning of 2014 and responsible for compromising thousands of credit cards in the US and Canada, is JackPOS; security boffins at Fortinet said in a blog post in June that they detected only one version of the threat, but that it had multiple strains.
The criminal activity relying on this type of malicious utilities has increased in both frequency and complexity.
In more recent attacks, cybercriminals have employed botnets to scan for computer systems that can be accessed from afar, through remote desktop programs such as LogMeIn, VNC, Microsoft RDP, PCAnywhere. Then they look for PoS software and attempt to brute-force the remote login feature with credentials available in a dictionary file downloaded from the command and control server.
The malware has been dubbed BrutPOS by FireEye, while researchers at IntelCrawler say that the name of the botnet project carrying out the PoS search has been released on underground forums since May 2014.
A recent warning from US CERT (Computer Emergency Readiness Team) puts in the spotlight a new PoS malware family called Backoff, which has been identified in multiple forensic investigations. The organization says that the threat is still persistent as of July 2014.
In this case, memory scraping is not the only method to steal financial information, as Backoff also integrates keylogging functionality, which can help the attacker determine the nature of the captured information.
Although it is not easy to thwart malicious activity targeting PoS systems, there are several controls that can be imposed to limit the risks.
Strong passwords, enabling two-factor authentication and limiting remote access to the systems are among the easiest methods that can prevent attackers from stealing the login credentials.
US CERT also recommends configuring the remote access account to lock after a period of time or after a specific number of failed login attempts.
Firewalls for network segmentation of the sensitive systems, changing the default remote desktop listening port, and encrypting the communication to the remote computer through the use of SSH and SSL are also among the recommendations.
Highly important, systems should be reviewed periodically by pen-testing them for weak spots that can be leveraged by an intruder, and employees should be educated to detect attempts to deceive them into providing cybercriminals with a backdoor to the business’ computer systems.
“Companies need to shift their approach to security from an ‘outside-in’ mentality of perimeter-based security to an ‘inside-out’ model where they assume the bad guy is already on the network.”
“Access controls, role-based monitoring and data encryption are critical requirements to protect critical systems from insider threats, which can be especially damaging in concentrated environments like cloud infrastructure,” says via email Eric Chiu, president of HyTrust cloud control company.