Flokibot – stuffing hackers’ christmas stockings

Hackers looking to snag a quick bargain anticipate the holiday shopping period with glee.

The volumes of transactions and the amounts spent mean that cyber criminals’ can gain both valuable personal data and cash with very little investment on their part.

Many organisations know that securing e-commerce transactions carries the risk of a cyber-attack, but often consider point of sale (POS) devices ‘dumb’ terminals and neglect to secure them properly.

This leaves them vulnerable to a number of attacks including credit card-swiping malware.

Arbor’s Security and Engineering Response Team (ASERT) has recently analysed an interesting new piece of POS malware called FlokiBot.

The malware itself is a variant of the Zeus banking Trojan family and could be used in attacks on retail, accommodation and food services companies.

>See also: How to keep safe this christmas shopping season

Zeus-based malware has been around since 2009, with numerous versions and variants in that time span.

It is a tried and true malware platform that threat actors continue to use and come back to when they want to create a new banking malware.

To date PoS malware has been used in a total of 534 incidents, 525 of which featured a confirmed data disclosure (2016 Verizon Data Breach Investigations Report). This demonstrates that attackers continue to innovate as the targets remain attractive.

FlokiBot has a number of capabilities uncommon to typical Zeus variants, including:

POS memory scraping

Many other malware families have POS capabilities, but this is not something the research team has seen before in a Zeus variant.

This type of data occurs when a store scans a customer’s credit card. The data on the magnetic strip is saved on the POS register’s memory.

The POS malware (FlokiBot in this instance) will scan the computer memory looking for a pattern of data that matches the format of the credit card data.

If it finds a potential match, it sends the data to the threat actor who can then either use the data to create their own fake credit cards or sell the data on underground forums.

Distributed denial of service attacks

This is an uncommon feature for a Zeus-based malware variant. Once this piece of malware has gained access to a network, it can use connected devices such as POS terminals to launch a DDoS attack.

During major shopping periods, network unavailability may cost a retailer millions of dollars in sales.

>See also: 3 ways CRM can help retailers win at Christmas

This attack type may also be used to distract the security team, while conducting other malicious activity such as stealing valuable data.

TOR configuration

FlokiBot can been configured with TOR based command and control URLs — .onion sites.

When the malware needs to communicate to its command and control server and sees that it is a .onion host, it’ll route the traffic through TOR.

If TOR isn’t installed on the victim, it’ll download, install and configure it. This helps to keep the botmaster’s command and control server hidden and prevent it from being blacklisted by security companies.

Actions for retail security teams

Organisations of all sizes are strongly encouraged to consider a security review of any POS deployment infrastructure.

This is to detect existing compromises as well as to strengthen defences against an adversary that continues to proliferate and expand attack capabilities.

>See also: Hitting your stride during peak delivery times in the e-commerce industry

Compliance with PCI-DSS standards is a good starting point. There are also a few other areas retailers should consider:


97% of breaches featuring stolen credentials leveraged legitimate partner access in 2016.

Organisations must ensure that any remote access connectivity is carefully audited and restricted in order to reduce network attack surface.

Dedicated machines

The underlying machine running the POS software should be dedicated to the task, and should be hardened prior to deployment to restrict open ports and lock down application use to those applications that are absolutely required for core functionality.

Separated from the Internet

POS systems themselves should be partitioned from the rest of the network, with only enough inbound and outbound connectivity allowed to facilitate core functionality.

POS machines or back-end infrastructure should never be accessible by a wireless network that has not been audited and built with full security controls in place in accordance with PCI-DSS as a minimum.


After significant testing, anti-malware applications should be run on the POS machines in an aggressive mode to detect potentially unknown malware.

If the POS machine is Windows based, the enhanced mitigation experience toolkit (EMET) should be deployed when possible and carefully tuned to include all aspects of the operating system and any third party software.

Traffic is truth

Advanced attackers will pivot from one compromise point to gather other points of compromise, and this lateral movement will leave traces of network activity that can be detected by the vigilant organisation.

Detecting malware activity over TOR

Organisations are encouraged to detect the unexpected presence of TOR. Security teams must consider a robust detection of TOR at the network level, due to its inclusion within the POS binary.

>See also: Hitting your stride during peak delivery times in the e-commerce industry

If TOR traffic is seen on the network, it must be investigated – especially if coming from the POS environment.

Exfiltration must be detected

If a network is not properly configured to only allow traffic where truly necessary, the number of systems that can become a staging ground for data exfiltration increases.

This gives threat actors, more options and places to hide their traffic in an attempt to extend the depth and longevity of their campaigns.

While FlokiBot has capabilities rarely before seen in a Zeus-based variant, organisations that maintain a proactive threat hunting posture and deploy robust network monitoring of traffic to and from POS machines should be able to respond and mitigate threats quickly and effectively.

In the run-up to Christmas, security teams should be on high alert and properly staffed, as the volume of sales transactions processed are highly attractive to threat actors, and the increased network traffic may make suspicious activity harder to identify.


Sourced by Dennis Schwarz, research analyst ASERT, Arbor Networks

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics