What is PoS Malware?
PoS malware garnered media attention with the breach of the mass US retail giant Target, where nearly a third of the US population was affected. Certain PoS malware affect popular establishments such as hotels and other businesses who rely on those systems.
One problem is that to update a lot of these systems, quite often remote access is used. This could provide a way in assuming that remote authentication is weak.
Embedded systems and legacy hardware will also make life easier for potential attackers. Remote authentication aside, physical access to terminals can also often be quite straightforward, as many establishments do not take measures to physically secure devices.
In this case
In conjunction with other law enforcement agencies we have previously investigated PoS malware. Often with certain strands, victim payment card data is stolen at point of sale using a simple key-logging functionality. That data is then directly sent to a command and control server (C2).
Certain PoS malware code contains a 'mutex' (mutual exclusion) to avoid infecting the victim's system more than once, and to coordinate its communications among its components on the host.
Should I be concerned about PoS malware?
Regardless of size and industry, an organisation or a company can be affected by Point-of-Sale (PoS) threats. For years, PoS threats have targeted diverse organisations beyond retail; attacks have affected airports and parking lots, among others. It's a mainstream threat that has continuously evolved its tactics to expand the target base.
While PoS threats have similarities in terms of techniques, each variant has its own unique characteristic. For example, some strains are notable for the speed in which the information is stolen and sent back to attackers.
Operators behind some PoS malware use the following infection vectors to install the threat:
- A compromised website that serves as a download location
- A web-based, real-time file sharing service used as a download location
- Direct file transfer via virtual networking computer (VNC); access to this is either through stolen credentials or through a brute-force attack.
Earlier versions of malware required an administrative account to run the file using a pop-up box.
Information theft routines
In one specific strand of PoS malware, there three separate threads:
- Main RAM scraper process
- Self-updating mechanism
In the first thread, the malware captured keystrokes and sent back the entire string to the C2 server once the return key is pressed. Keyloggers often go together with PoS threats as they enable attackers to do reconnaissance and obtain other information aside from stolen data from the credit card scrape. Stolen information from keyloggers may also vary between the products or services purchased and the card security code being asked in some establishments.
In certain PoS malware, keylogged data is held in memory with no file written in disk. This can make detection and removal of the malware from PoS systems difficult. Although, such routine may result to some level of network noise, there are relatively few instances of the return key being used. This can be seen when you compare normal operations of a PoS terminal to that of a regular workstation.
Points to consider
Some of the affected entities of POS malware are based in locations with open remote access. In certain instances, organisations had only DSL router as their primary separation between the terminal (that processes credit card information) and the internet with just port-forward functionality enabled directly to the terminal itself. This introduces risks to the environment as there's only a thin line separating the terminal and external access. While remote access allows remote administration, these channels can be abused.
Based on the behavior of this PoS, it implies that targeted terminals have bare internet access with installed endpoint security software as the only line of defense. While complying with the bare minimum of having anti-malware software on systems, it is recommended to separate traffic and employ strict access controls on these terminals.
Businesses can also consider another approach, such as implementing endpoint application control or whitelisting technology that reduces attack exposure by ensuring only updates associated with whitelisted applications can be installed.
If you or your organisation have been a victim of this or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040. Action Fraud have a 24/7 reporting capability for live incidents such as DoS attacks.
Please note: information in this section is sourced from TrendMicro reports around PoS malware - however this should not be taken as us endorsing TrendMicro commercially.