2014 Analysis of POS Malware
Last updated
Last updated
Analysis of POS malware that has infected thousands of merchants in the United States over the last couple of years. Discussion of how attacks are happening, what the Malware does, and how merchants and others can detect and defend against it.
2013 and 2014 had many US merchants affected by POS malware. Using publicly available sources and our own breach investigations, this presentation addresses the following: 1. How merchants are being attacked 2. What Malware does once inside systems 3. How to defend against it
Investigations of malware infection deal with not only how attackers compromised systems, but what data attackers were after and how they took it from the system.
The largest breach of 2013 reported 40 million lost credit card numbers, and 56 million card numbers in the largest breach of 2014.
In August 2014, the United States Secret Service reported that over 1000 merchants had been affected by Back Off Malware. The issue became so dire that during a three month period, three press releases were issued dealing with the threat.
Attackers, in many cases, are targeting POS systems with Windows embedded operating systems. Typically a card reader connects to a POS system. The card reader captures credit card information and sends it in clear text to the POS system where it is then sent via a TLS connection for authorization.
is installed on the POS system to capture the clear text account data, read the information, and send it out to be sold on the black market (dark net).
Media sources indicated that systems were compromised through a variety of sources. They include (but are not limited to):
Direct attacks: (as reported by the US Cert)
Once on a system, POS malware steals track data, payment account information, and other sensitive information. Each strain of malware is similar.
Since then, we've seen over 27 different version of POS Malware released and found on merchant systems. They have evolved and multiplied as attackers have learned how to avoid malware detection programs.
The behavior of the malware is:
To read computer processes that are present on a machine
Enumerate those processes
Read the memory, threads, and heaps
Utilize RegEx search patterns looking for sensitive data.
Data is usually credit card data but can also be passwords, encryption keys, logins, or anything else that can be used to steal data for monetary gain.
Attackers export stolen data from systems in a variety of methods, including email, FTP, File Copy, Tor, HTTP requests to web sites, or SSH/SSL connections.
Attackers send data out in clear text. To avoid a DLP (Data Loss Prevention) program, they hide it through hex encoding, base64 encoding, or encrypting it.
Data is then sold on black markets where attackers can clone cards to purchase items or fraudulently process transactions from E-Commerce merchants.
As Malware gains in popularity, development kits have been created to make it easy for non-programmers to implement. Scripting is also being used to create Malware.
As companies work to defend against the rash of attacks, they can do several things to monitor for and protect their systems.
Utilize IDS effectively.
Restrict external access. e.g. implement two-factor authentication.
Implement a comprehensive vulnerability management program.
Learn as much as possible about existing threats to know how to defend against them.
Tags: POS, Malware, Breach, PCI, CreditCard theft, Hacking
Primary Author Name: Brandon Benson Primary Author Email: POSMalware@bmbenson.com
Email/Phishing attacks:
3rd party vendors:
Insider threats:
Social Engineering/Physical Attacks:
Compromise of vulnerable applications:
Attackers are using publicly available tools and the company's own systems to distribute malware.
Reviewing the history of Malware shows it has been an issue since as early as 2008 when . The also reported it.
Malware is taking on APT (Advanced Persistent Threat) characteristics in that it is avoiding Malware detection programs, updating itself, and putting logic in place to avoid or self-delete if detected by anti-malware programs. In one case,
Contrary to many reports, would not have prevented breaches. It could have prevented card cloning if banks were performing checks of the security features of chip cards.
Learn about attack vectors. e.g. or Shmoocon's 2014 talk
Configure and use logs correctly: Michael Gough (, ) created some excellent resources for malware detection and windows logging. 1. 2. 3.