2014 Analysis of POS Malware
Analysis of POS malware that has infected thousands of merchants in the United States over the last couple of years. Discussion of how attacks are happening, what the Malware does, and how merchants and others can detect and defend against it.
2013 and 2014 had many US merchants affected by POS malware. Using publicly available sources and our own breach investigations, this presentation addresses the following: 1. How merchants are being attacked 2. What Malware does once inside systems 3. How to defend against it
Investigations of malware infection deal with not only how attackers compromised systems, but what data attackers were after and how they took it from the system.
The largest breach of 2013 reported 40 million lost credit card numbers, and 56 million card numbers in the largest breach of 2014.
In August 2014, the United States Secret Service reported that over 1000 merchants had been affected by Back Off Malware. The issue became so dire that during a three month period, three press releases were issued dealing with the threat.
Attackers, in many cases, are targeting POS systems with Windows embedded operating systems. Typically a card reader connects to a POS system. The card reader captures credit card information and sends it in clear text to the POS system where it is then sent via a TLS connection for authorization.
Media sources indicated that systems were compromised through a variety of sources. They include (but are not limited to):
- 1.Direct attacks: (as reported by the US Cert)
Once on a system, POS malware steals track data, payment account information, and other sensitive information. Each strain of malware is similar.
Reviewing the history of Malware shows it has been an issue since as early as 2008 when Visa Europe published an alert to merchants warning of POS RAM scrapers. The Verizon Data Breach Report in 2009 also reported it.
Since then, we've seen over 27 different version of POS Malware released and found on merchant systems. They have evolved and multiplied as attackers have learned how to avoid malware detection programs.
The behavior of the malware is:
- 1.To read computer processes that are present on a machine
- 2.Enumerate those processes
- 3.Read the memory, threads, and heaps
- 4.Utilize RegEx search patterns looking for sensitive data.
Data is usually credit card data but can also be passwords, encryption keys, logins, or anything else that can be used to steal data for monetary gain.
Attackers export stolen data from systems in a variety of methods, including email, FTP, File Copy, Tor, HTTP requests to web sites, or SSH/SSL connections.
Attackers send data out in clear text. To avoid a DLP (Data Loss Prevention) program, they hide it through hex encoding, base64 encoding, or encrypting it.
Data is then sold on black markets where attackers can clone cards to purchase items or fraudulently process transactions from E-Commerce merchants.
As Malware gains in popularity, development kits have been created to make it easy for non-programmers to implement. Scripting is also being used to create Malware.
Malware is taking on APT (Advanced Persistent Threat) characteristics in that it is avoiding Malware detection programs, updating itself, and putting logic in place to avoid or self-delete if detected by anti-malware programs. In one case, Malware was resident on systems since 2009.
As companies work to defend against the rash of attacks, they can do several things to monitor for and protect their systems.
- 2.Utilize IDS effectively.
- 3.Restrict external access. e.g. implement two-factor authentication.
- 4.Implement a comprehensive vulnerability management program.
- 5.Learn as much as possible about existing threats to know how to defend against them.
Tags: POS, Malware, Breach, PCI, CreditCard theft, Hacking