PoS Malware Attacks Increase, Simple Solutions Could Stop Some of Them

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.softpedia.com/news/PoS-Malware-Attacks-Increase-Simple-Solutions-Could-Srop-Some-of-Them-453271.shtml

Credit and debit card data is what cybercriminals are after these days and
there are plenty of ways to get it, but with thousands of transactions
processed by point-of-sale (PoS) systems of large retailers on a daily
basis, the payment terminals make for a prime target.

Point-of-sale terminals read the information from the magnetic stripe
(magstripe) of a credit or debit card when it is swiped through. The
information is then either sent directly to the bank of the retailer, or to
a back-of-house (BoH) server that gathers card data from multiple PoS
systems and delivers it to a payment processing service.

Regardless of the method used to handle the transactions, an authorization
message needs to be returned to the PoS system for the purchase to be
accepted; the entire communication is encrypted.

Malware designed for this type of payment systems seek to collect the
information on the card that can be used for online purchases, and if the
details on the magstripe (Track 1 and Track 2) are also taken, cards can be
cloned and used in brick-and-mortar stores.

Infecting PoS systems is a trend on the rise many security experts warned
about towards the end of last year, especially since retailer Target
reported it suffered a breach that led to the loss of card data information
of about 40 million customers.

The cybercriminals who compromised the Target PoS systems on November 27,
2013, used specific malware that would steal the card information from the
memory of the system, where it is not encrypted before being sent securely
for processing.

This method, called RAM scraping, is not new. Dexter, one PoS malware
relying on the same memory scraping method for stealing data, was
discovered back in 2012, and its code has been leaked at one point, giving
birth to several variants, StarDust and Revolution being considered
subsequent versions of the first Dexter release.

Kaptoxa (slang for “potato” in Russian), a malware that later changed its
name to the better known BlackPOS, is believed to have been employed in the
Target data breach and has been on sale on underground forums for some time.

Apart from these two, other malicious tools exist, specifically designed
for stealing the card data from the memory of PoS systems. Alina is yet
another solution of the same malware breed, having several variants and
versions crooks can leverage.

Lacking complexity, ChewBacca malware managed to steal card data from the
RAM of the infected PoS systems of dozens of retailers in more than 10
countries, the US, Russia, Australia and Canada among them, since October
2013.

Another PoS malware family, discovered at the beginning of 2014 and
responsible for compromising thousands of credit cards in the US and
Canada, is JackPOS; security boffins at Fortinet said in a blog post in
June that they detected only one version of the threat, but that it had
multiple strains.

The criminal activity relying on this type of malicious utilities has
increased in both frequency and complexity.

In more recent attacks, cybercriminals have employed botnets to scan for
computer systems that can be accessed from afar, through remote desktop
programs such as LogMeIn, VNC, Microsoft RDP, PCAnywhere. Then they look
for PoS software and attempt to brute-force the remote login feature with
credentials available in a dictionary file downloaded from the command and
control server.

The malware has been dubbed BrutPOS by FireEye, while researchers at
IntelCrawler say that the name of thebotnet project carrying out the PoS
search has been released on underground forums since May 2014.

A recent warning from US CERT (Computer Emergency Readiness Team) puts in
the spotlight a new PoS malware family called Backoff, which has been
identified in multiple forensic investigations. The organization says that
the threat is still persistent as of July 2014.

In this case, memory scraping is not the only method to steal financial
information, as Backoff also integrates keylogging functionality, which can
help the attacker determine the nature of the captured information.

Although it is not easy to thwart malicious activity targeting PoS systems,
there are several controls that can be imposed to limit the risks.

Strong passwords, enabling two-factor authentication and limiting remote
access to the systems are among the easiest methods that can prevent
attackers from stealing the login credentials.

US CERT also recommends configuring the remote access account to lock after
a period of time or after a specific number of failed login attempts.

Firewalls for network segmentation of the sensitive systems, changing the
default remote desktop listening port, and encrypting the communication to
the remote computer through the use of SSH and SSL are also among the
recommendations.

Highly important, systems should be reviewed periodically by pen-testing
them for weak spots that can be leveraged by an intruder, and employees
should be educated to detect attempts to deceive them into providing
cybercriminals with a backdoor to the business’ computer systems.

“Companies need to shift their approach to security from an ‘outside-in’
mentality of perimeter-based security to an ‘inside-out’ model where they
assume the bad guy is already on the network.”

“Access controls, role-based monitoring and data encryption are critical
requirements to protect critical systems from insider threats, which can be
especially damaging in concentrated environments like cloud
infrastructure,” says via email Eric Chiu, president of HyTrust cloud
control company.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!