[BreachExchange] The POS Malware Threat: All You Need to Know

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 27 19:56:36 EST 2016


http://www.sitepronews.com/2016/12/27/the-pos-malware-
threat-all-you-need-to-know/

Criminal behavior is hardly a new concept, and just as reliable as death
and taxes. Criminals are finding new ways to steal things with every social
and technical advancement society makes. In our information-driven,
computer-based world, the outlaws are using computers and systems to rob
the train in a new version of an old story. We call this new version
cyber-crime.

Cyber-crime is manipulation of computers and networked systems to enable
criminal behavior. Often the goal is the theft of information for financial
gain, but sometimes the plan is sabotage, or redirecting users forcibly to
a particular website that sells software or goods and services. As many
ways as we choose to engage with information technology, there are at least
as many ways to cheat, steal and deceive the users of that technology.
Attacks on systems that hold information, sabotage of websites that provide
information and services, and breaches of secure communications are all
becoming more common.

One of the most potentially profitable areas for criminals is in breaching
point-of-sale, or POS, software. With so much to gain, skilled hackers can
attack the POS system of a business on a very large scale, compromising
credit cards and stealing identity information from thousands of users at
once, while using the network connections of the system itself to export,
or exfiltrate, the stolen information.

The POS Malware Threat

The threat to eCommerce that is posed by POS attacks strikes at the heart
of online business: trust in the process and in the company that offers it.
For this reason, the Payment Card Industry Security Standards Council
(PCISCC) has published data security standards for any organization that
handles credit, debit and ATM transactions, or supporting organizations
which store, transfer, or process cardholder information. This sensitive
information is captured by hackers to commit credit card fraud and identity
theft. A POS breach exposes customers to financial harm and merchants to
damage of their reputation, loss of business and recovery costs. PCI DDS
(Data Security Standard) requirements enforce encryption of card data
whenever this data is transmitted or stored.

POS malware is as dangerous because it is designed to steal sensitive
information stored in the magnetic stripe of a credit or debit card –
information that is particularly vulnerable because the information is
unencrypted for a brief time immediately after collection and before the
system has an opportunity to encrypt it. POS malware, therefore, usually
exploits a network connection at this vulnerable point to collect the
information directly out of memory in a process known as “RAM scraping.” It
is extremely difficult to secure the system at this point, in part because
of its location in the network, in part because of its role in collecting
important information and, finally, due to the reliance on the care and
caution of human operators. An unhappy employee or an expert social
engineer can gain initial access in a very low-tech way.

Small businesses often transmit over cellular data networks, which are
particularly vulnerable, but large businesses are vulnerable in a different
way. Though they usually have their own back-end systems to transmit data,
these systems are vulnerable to trojans and other malware that can be
deployed on a network, expanded laterally and manipulated to be persistent
– that is, to reinstall itself if it is detected and removed. Moreover, if
the malware has taken control of the network management software, it can
become very good at evading detection for quite some time – enough time to
steal a great deal of information.

Adding to the vulnerability, many POS terminals use a version of Microsoft
Windows, which is very susceptible to attack, making it a minor matter for
attackers to gain access to the terminal, bypass security and develop
targeted malware for the system.

In addition, devices have been found in many areas of the Internet of
Things that are sold already infected with malware. Several years ago,
TrendMicro reported on the appearance of fake POS machines that would skim
the card information before refusing the transaction. Users of POS software
must exercise great diligence in choosing and protecting their point of
sale system.

POS Malware Families

Security groups have identified a number of POS malware families. POS
malware is described in ‘families,’ because each contains a number of
variants. A brief description of some of the most active families follows.

ALINA: The Alina malware family, also known as “Trackr”, is one of the most
basic types of POS malware. It scans the system’s memory, checking to see
the existence of valid card information. Once stolen, the data are sent to
command-and-control (C&C) servers using a simple HTTP POST command. Alina
uses its own C&C structure, encrypts the data it exfiltrates, and shuts
down Windows processes so it can operate without interference.

vSkimmer: The vSkimmer malware family can be found prebuilt and readily
available online. It created a lot of buzz on its first appearance because
of the ease of deployment: vSkimmer can be installed through a USB thumb
drive, as malware attached to an email message, through a website, or using
similar simple methods. Once installed, vSkimmer collects information on
the POS system itself, such as the operating system and version, hostname,
and various other critical characteristics and uses that information to
tune the software to the system. Interestingly, vSkimmer does not need the
POS system to be connected to the Internet in order to run. If it is
connected, vSkimmer will use that connection, but if it is not, the
information is stored until someone connects a USB device with a particular
name, and then it copies the stolen information onto the USB device, so it
can later be uploaded to the hacker’s own C&C server.

Dexter: Dexter is a POS malware family whose activities are not limited to
stealing card information; it also identifies and records system
information. In addition, it installs a keylogger to capture all keystrokes
– often a way to trap passwords and other credentials. Dexter malware has
several versions: Star Dust, Millennium, and Revelation, each more
sophisticated than the previous version. Dexter malware can be embedded in
files stored on Windows servers and deploys from there. Later versions also
can exfiltrate using FTP, which allows a larger data export to a single
location.

FYSNA/Chewbacca: The FYSNA/Chewbacca malware family is a basic type of POS
malware, but it added a new challenge by utilizing the Tor anonymity
network to secure its C&C operations, making the detection of a breach and
subsequent investigation more difficult.

Decebel: The Decebel malware family added an elaborate evasion mechanism to
its malware. Decebel checks for the presence of analysis tools before
running, so it will not run if detection and analysis are easily executed.
This allows the attack more time to function before the scheme is detected
and removed. Like a lot of other POS malware, Decebel uses HTTP POST to
upload stolen data to its C&C server.

BlackPOS: BlackPOS is the most well known POS malware family, and it is
easily obtained, as its source code has already been posted online.
BlackPOS has a number of variants with additional sophistication: for
instance, one variant only performs its activities in business hours
between 10 a.m. and 5 p.m. BlackPOS, like Dexter, uses FTP to upload
information to the attacker’s server. In both cases, the consolidation of
stolen data allows attackers more manipulative control over the information.

PoSeidon: In 2014, experts at Cisco discovered a new family of POS malware
called PoSeidon. It is highly sophisticated in its methods for identifying
and stealing card data. According to Cisco, “PoSeidon was professionally
written to be quick and evasive with new capabilities not seen in other PoS
malware. It can communicate directly with C&C servers, self-update to
execute new code and has self-protection mechanisms guarding against
reverse engineering.” (Cisco statement to Security Week, March 21, 2015) It
can also verify the validity of card numbers, allowing it to avoid raising
suspicions by using an invalid card number. It contains a loader to ensure
persistence on the infected system, and uses a keylogger to scan the input
to identify card numbers. PoSeidon encrypts its exfiltrated data using XOR
cipher encryption and base64 encoding.

NewPosThings: Another 2014 discovery was NewPosThings, which implements a
refined RAM scraping process. The malware includes a custom packer and new
anti-debugging mechanisms, and a module specifically to harvest user input.
When it installs, it uses familiar-looking names to minimize suspicion,
such as java.exe, vchost.exe, dwm.exe, and so on. It also uses a
normal-looking registry entry with the name “Java Update Manager” to
establish persistence on the infected machine, where it proceeds to collect
sensitive data, including passwords, while disabling system warnings.

Other POS malware found in 2014 included Soraya, which implements RAM
scraping and web forms grabbing.

In 2015, still more POS malware were found, including a new Alina variant,
and new malware by the names of LogPOS, FighterPOS, and Punkey.

Targeting a Server

Attacks at the server level can involve misuse of any management system
used to monitor or maintain an organization’s POS systems. Any system that
controls or allows access to POS systems is a potential vulnerability.
Access to servers can be achieved using network-level hacking, in which
shared connections between systems can be exploited – for instance, if the
Wi-Fi hotspot provided to customers shares a connection with the POS
system. Hackers affected a large number of U.S. merchants in 2009-2011,
were using the malware scan ports in the system and identified those, which
were running remote-access software. The hackers then knew which ports to
attack.

Even if the POS system is using a closed Wi-Fi network, attackers might be
able to crack its passphrase, either through sophisticated trojans, or by
using brute force. Attackers also might search until they find an open port
on a switch and add their own Wi-Fi access point there.

The goal of network infiltration is to reach a server. Device- and
network-level attacks are inherently limited to a single POS system or even
a network of POS systems in a single location, but a successful server
breach, depending on the architecture, could possibly expose all POS
systems in all of a retailer’s locations.

In order to reach a server, attackers need to learn the available software
on the server as well as have the means to exploit it.

Typically, the first overture will be a socially engineered message,
usually an e-mail that encourages the target to click a link or open a
file. If the target is tricked into doing so, then the payload can be
delivered in the form of a piece of malware that executes on the target’s
computer. From there, the attackers can leverage that foothold to take
control of the compromised computer, install keyloggers and remote access
applications, and download additional software that hides the malware,
establishes persistence, and creates a launch site for the full attack.

The attackers – perhaps through the malware itself – use tools that allow
them to execute shell commands that broaden their access, evaluate existing
data and network architecture, and assess protection mechanisms. In the
process, the attackers might collect additional information that will help
them plan future attacks, customize malware, and plan the exfiltration.
They will continue to elevate their access privileges until they are able
to infiltrate their ultimate target: the POS systems.

Conclusion

The number and sophistication of attacks are growing as are the varieties
of POS malware, and merchants cannot afford to be out of compliance with
the PCI DDS. Many excellent security measures in the DDS can mitigate the
POS malware threat:

• Only necessary traffic should be allowed through the firewall.

• Only allow connectivity from the card terminal or POS appliance to the
processor, and nowhere else.

• Install anti-virus and anti-malware software on all POS devices.

• Keep security patches current.

• Enforce network logging to identify anomalies.

In addition, following some basic security precautions can help a great
deal:

• Do not allow USB devices to be connected to the server that hosts your
POS system.

• Train your staff on POS malware threats.

• Lock your POS servers up in a secure location with limited access.

With proper security and employee training, it would be much harder for
attackers to succeed in blowing up the safe environment. Many security
holes occur because of noncompliance, and following some basic security
measures and ensuring compliance with the PCI DDS will go a long way toward
preventing POS malware from infiltrating your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161227/29757fcb/attachment.html>


More information about the BreachExchange mailing list