Threat Intelligence

The Importance of POS Threat Analysis for the Retail Sector

Dan Virgillito
December 16, 2014 by
Dan Virgillito

The rising intensity of POS threats has created a precarious environment for retailers looking to protect their customers' financial and personal data. POS systems are increasingly becoming a soft target for hackers, which is why it's more important than ever to consider the security of these machines and the information they store.

There has been a resurgence of these attacks in the past few months, and the 2014 Verizon Data Breach investigation report listed them as a composition of top 9 breach vectors. The intrusions involve the attacker placing a special malware on the POS tills which captures payment card information while it is stored in the temporary memory.

Hackers then use a remote connection to extract card information. Some hackers develop the malware themselves, while others simply buy from the underground web.

Threat analysis

The retail sector should avoid conflating all malware as a single threat and analyze all capabilities and malware functions as separate entities.

POS malware capabilities

POS malware infects systems featuring a card reader and sales software. Cyber criminals may conduct attacks using malware with one or a multitude of the following capabilities:

Key loggers: Though categorized as a separate malware category, key loggers are often used in POS breach attempts. Hackers use this malware to record keystrokes entered in a POS terminal. Some key logger breaches may even take videos and screenshots to provide hackers the most relevant data.

RAM scrapers: This is the most prevalent capability in POS malware breach attempts by card information thieves. RAM scrapers / memory dumpers hold card data for a while before it gets encrypted, and this small window of opportunity is all the malware needs to digest the information from memory and transfer it to a log file.

Brute-force botnets: The botnet scans the IP address ranges from POS systems that accept RDP (Remote Desktop Protocol) connections. After identifying an RDP service, the botnet malware tries to enter with user names and passwords from a predefined list. After guessing the credentials of an RDP-activated system, the malware sends the data back to a C2 (Command-and-Control) server.

Popular POS malware and breach incidents

Since their networks are open to the Internet and their security implementations are often weak, retail POS systems are vulnerable to malware with the above-mentioned capabilities. Here is a list of the most popular POS malware and breach incidents:

Backoff: This is the trending malware that has infected more than 1,000 US businesses. Reports reveal that this malware is now dubbed as 'ROM', and it has been fine-tuned with upgrades that can encrypt connections between Command-and-Control servers controlled by attackers and infected systems. The changes are made to make the malware difficult to detect or eradiate. Dairy Queen is one of the popular retail chains that was a victim of this malware.

vSkimmer: This is a botnet-like malware that was first detected by McAfee researchers. It targets POS machines running Windows OS to steal credit card data for card payments and financial transactions. After infecting itself in the file 'iexplorer.exe', it stays active by rewriting in the registry key, and then hijacks credit card data and transfers it to a Command-and-Control server. The malware also provides offline data capture through a USB connected to the compromised system.

BlackPOS: This malware infects POS systems running Windows OS and featuring card readers. The machines are discovered with automated Internet scans, and weak remote administration credentials or unpatched vulnerabilities is the main cause of compromise. It scans running processes to search for Track 1 and Track 2 formatted data, and stores it in a file called 'output.txt', before using FTP to upload it to a compromised server. This malware was discovered on Target's point-of-sale systems.

Dexter: This malware differs from POS breaches that rely on phishing attempts or skimmers installed on endpoints. The Dexter malware infects files on Windows OS servers and then scraps credit card information as it is entered on the compromised machine. It also parses memory dumps of specific software processes and searches for Track 1 and Track 2 credit card data, according to Seculert.

Alina: This malware looks for running processes for tracking credit card data. It can run updates on the infected computer and use HTTP to upload data about the infected machine and compromised payment card information to the attacker's Command-and-Control server. It also dumps memory by adopting a blacklist approach to neglect important processes that may be active on the system.

Steps involved in POS intrusions

  1. POS systems aren't public-facing and are segmented on a corporate network. Attackers can brute-force a remote login system and search for vulnerabilities in external facing systems. pcAnywhere, Remote Desktop, and other remote administration utilities are often used for entry.
  2. Next, hackers identify the CDE (cardholder data environment) to gain access to the POS system, where they are asked for credentials. Attackers can use spear phishing, keystroke logging, and other means to access credentials, but many POS systems use credentials set by default, which is a major security flaw of these machines.
  3. The POS system is breached, and malware tailored to the targeted network/ environment is installed and tested rigorously to avoid removal and detection. The malware scraps cardholder data from RAM memory and routes it to a compromised server within the network to aggregate in the log file(s).
  4. The data is then exfiltrated as the log file is encrypted and sent to a third-party server compromised by the hacker. The transmissions mimic legitimate communication to avoid detection and removal.

Post-threat analysis implementations

Retailers need to analyze POS threats and refine their security implementations, as well as make sure they are meeting the PCI (Payment Card Industry) Data Security Standards. With the capabilities and potential functions of POS malware defined, retailers can develop a fairly good picture of how attackers conduct POS attacks, and they can implement the following practices to reduce the vulnerability of POS systems & mitigate payment card data loss from successful breaches:

Upgrade host security

POS systems consolidate payment card traffic into a repository known as the 'host'. POS owners should ensure that their host software doesn't accommodate vulnerable data elements such as PIN blocks, PINs or full magnetic stripe data. They should also ensure their host system has these characteristics:

  • User management controls are compliant with PCI DSS and the system is configured with security configuration and patch management
  • The system accepts requests only from known sources, which are frequently reviewed
  • The sole purpose is to process transaction data and access requests should be logged to see if there's any unusual activity

Use point-to-point encryption (p2pe)

Most POS malware successfully infiltrate systems which lack point-to-point encryption. p2pe encrypts card data from the time it is swiped in a POS machine to the time it is decrypted by the payment processor of the retailer.

How does it really help? When a POS system featuring encrypting card scanners and point-to-point encryption is used, the scanner will encrypt the data before it reaches the terminal. However, the store network has no device with the ability to decrypt card information. This makes sure the credit card numbers are protected from attacks such as malware infections and unauthorized eavesdropping.

Restrict or disallow remote access

Retailers should restrict remote access to their POS machines and allow for a limited set of known Internet Protocol (IP) addresses. Internet access can also be restricted to prevent POS operators from accidentally exposing the POS system to web-based security threats. The machines should be used to carry out POS related activities and general web browsing should be prohibited.

Another thing retailers can do is completely disallow operators to log in to a POS terminal as an authorized entity without being physically present. This would stop cyber criminals who can expose remote access configurations to gain access to retail networks, as they would have to be physically present near the machine. However, retailers would need to watch out for malicious insiders after this security implementation. Systems should be reviewed periodically for dormant and unknown users.

Secure the cash and point-of-sale register

Perform periodic scans on these systems to ensure there is no malicious activity and use the latest OS to date. Make sure software like file integrity monitoring and anti-virus are installed, and use strong passwords for security solutions to prevent software modification.

Also, perform a checksum or primary comparison to detect any unauthorized files. Retailers should also take application whitelisting into account to prevent unapproved processes from running. A checksum should also be performed on third-party updates. Further, unnecessary services and ports, default and guest users, and null sessions should be disabled.

Secure the network

Check your firewall configuration and make sure only authorized services and IP addresses are connected to the network. Do this for outbound firewall rules, as hackers can leverage misconfiguration of entities that enable ports to communicate with random IP on the web. It's also a good idea to segment your payment processor network from other networks.

Make strict ACLs (access control lists), and apply them on router configuration to keep out unauthorized traffic. Lastly, review POS with direct connectivity and ensure the payment processing environment that houses card data is secure.

Conclusion

It's clear that POS systems will continue to be a prime target for attackers, as criminals repurpose existing malware and develop new malware types to steal payment card information. Retailers that process card data need to follow the recommended security practices and adapt their controls to protect consumer card information, all while keeping themselves updated on the POS threat landscape.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.