How retailers can combat the deadly point-of-sale malware threats

Point-of-sale (POS) systems are increasingly becoming a soft target for hackers, making it more important than ever for retailers to consider the security of these machines and the information they store.

There has been a resurgence of these attacks in the past few months, and the 2014 Verizon Data Breach investigation report listed them as a composition of top nine breach vectors. The intrusions involve the attacker placing a special malware on the POS tills which captures payment card information while it is stored in the temporary memory.

Hackers then use a remote connection to extract card information. Some hackers develop the malware themselves, while others simply buy from the underground web. The malware infects systems featuring a card reader and sales software.

The retail sector should avoid conflating all malware as a single threat and analyse all capabilities and malware functions as separate entities.

Cyber criminals may conduct attacks using malware with one or a multitude of capabilities, including key loggers, RAM scrapers and brute-force botnets.

>See also: How do you solve a problem like cybercrime?

Since their networks are open to the internet and their security implementations are often weak, retail POS systems are vulnerable to these atacks. There are five popular POS malware and breach incidents.

Backoff is the trending malware that has infected more than 1,000 US businesses. Reports reveal that this malware is now dubbed as ‘ROM’, and it has been fine-tuned with upgrades that can encrypt connections between command-and-control servers controlled by attackers and infected systems. The changes are made to make the malware difficult to detect or eradiate. Dairy Queen is one of the popular retail chains that was a victim of this malware.

vSkimmer is a botnet-like malware that was first detected by McAfee researchers. It targets POS machines running Windows OS to steal credit card data for card payments and financial transactions. After infecting itself in the file ‘iexplorer.exe’, it stays active by rewriting in the registry key, and then hijacks credit card data and transfers it to a command-and-control server. The malware also provides offline data capture through a USB connected to the compromised system.

BlackPOS malware infects POS systems running Windows OS and featuring card readers. The machines are discovered with automated internet scans, and weak remote administration credentials or unpatched vulnerabilities is the main cause of compromise. It scans running processes to search for Track 1 and Track 2 formatted data, and stores it in a file called ‘output.txt’, before using FTP to upload it to a compromised server. This malware was discovered on Target’s point-of-sale systems.

Dexter differs from POS breaches that rely on phishing attempts or skimmers installed on endpoints. The Dexter malware infects files on Windows OS servers and then scraps credit card information as it is entered on the compromised machine. It also parses memory dumps of specific software processes and searches for Track 1 and Track 2 credit card data, according to Seculert.

Alina looks for running processes for tracking credit card data. It can run updates on the infected computer and use HTTP to upload data about the infected machine and compromised payment card information to the attacker’s command-and-control server. It also dumps memory by adopting a blacklist approach to neglect important processes that may be active on the system.

>See also: Cybercrime: the scourge of the digital economy

There are a number of steps involved in POS intrusions. POS systems aren’t public-facing and are segmented on a corporate network. Attackers can brute-force a remote login system and search for vulnerabilities in external facing systems. pcAnywhere, Remote Desktop, and other remote administration utilities are often used for entry.

Next, hackers identify the CDE (cardholder data environment) to gain access to the POS system, where they are asked for credentials. Attackers can use spear phishing, keystroke logging, and other means to access credentials, but many POS systems use credentials set by default, which is a major security flaw of these machines.

Then, the POS system is breached and malware tailored to the targeted environment is installed and tested rigorously to avoid removal and detection. The malware scraps cardholder data from RAM memory and routes it to a compromised server within the network to aggregate in the log files.

Finally, the data is exfiltrated as the log file is encrypted and sent to a third-party server compromised by the hacker. The transmissions mimic legitimate communication to avoid detection and removal.

Post-threat analysis

Retailers need to analyse POS threats and refine their security implementations, as well as make sure they are meeting the PCI (Payment Card Industry) Data Security Standards.

With the capabilities and potential functions of POS malware defined, retailers can develop a fairly good picture of how attackers conduct POS attacks, and they can implement the following incident response practices to reduce the vulnerability of POS systems and mitigate payment card data loss from successful breaches.

1. Upgrade host security

POS systems consolidate payment card traffic into a repository known as the ‘host’. POS owners should ensure that their host software doesn’t accommodate vulnerable data elements such as PIN blocks, PINs or full magnetic stripe data. User management controls must be compliant with PCI DSS and the system is configured with security configuration and patch management. The should also ensure the system accepts requests only from known sources, which are frequently reviewed. The sole purpose is to process transaction data and access requests should be logged to see if there’s any unusual activity

2. Use point-to-point encryption (p2pe)

Most POS malware successfully infiltrate systems which lack point-to-point encryption. p2pe encrypts card data from the time it is swiped in a POS machine to the time it is decrypted by the payment processor of the retailer.

How does it really help? When a POS system featuring encrypting card scanners and point-to-point encryption is used, the scanner will encrypt the data before it reaches the terminal. However, the store network has no device with the ability to decrypt card information. This makes sure the credit card numbers are protected from attacks such as malware infections and unauthorised eavesdropping.

3. Restrict or disallow remote access

Retailers should restrict remote access to their POS machines and allow for a limited set of known internet protocol (IP) addresses. Internet access can also be restricted to prevent POS operators from accidentally exposing the POS system to web-based security threats. The machines should be used to carry out POS related activities and general web browsing should be prohibited.

Another thing retailers can do is completely disallow operators to login to a POS terminal as an authorised entity without being physically present. This would stop cybercriminals who can expose remote access configurations to gain access to retail networks, as they would have to be physically present near the machine. However, retailers would need to watch out for malicious insiders after this security implementation. Systems should be reviewed periodically for dormant and unknown users.

4. Secure the cash and point-of-sale register

Perform periodic scans on these systems to ensure there is no malicious activity and use the latest OS to date. Make sure software like file integrity monitoring and anti-virus are installed, and use strong passwords for security solutions to prevent software modification.

Also, perform a checksum or primary comparison to detect any unauthorised files. Retailers should also take application whitelisting into account to prevent unapproved processes from running. A checksum should also be performed on third-party updates. Further, unnecessary services and ports, default and guest users, and null sessions should be disabled.

5. Secure the network

Check your firewall configuration and make sure only authorised services and IP addresses are connected to the network. Do this for outbound firewall rules, as hackers can leverage misconfiguration of entities that enable ports to communicate with random IP on the web. It’s also a good idea to segment your payment processor network from other networks.

Make strict ACLs (access control lists), and apply them on router configuration to keep out unauthorised traffic. Lastly, review POS with direct connectivity and ensure the payment processing environment that houses card data is secure.

>See also: Cyber security and small and medium-sized companies: how they can defend themselves in 2019

It’s clear that POS systems will continue to be a prime target for attackers, as criminals repurpose existing malware and develop new malware types to steal payment card information.

Retailers that process card data need to follow the recommended security practices and adapt their controls to protect consumer card information, all while keeping themselves updated on the POS threat landscape.


Sourced from Dan Virgillito, InfoSec Institute

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach