2014 Analysis of POS Malware

Abstract

Analysis of POS malware that has infected thousands of merchants in the United States over the last couple of years. Discussion of how attacks are happening, what the Malware does, and how merchants and others can detect and defend against it.

Content

2013 and 2014 had many US merchants affected by POS malware. Using publicly available sources and our own breach investigations, this presentation addresses the following: 1. How merchants are being attacked 2. What Malware does once inside systems 3. How to defend against it

Investigations of malware infection deal with not only how attackers compromised systems, but what data attackers were after and how they took it from the system.

The largest breach of 2013 reported 40 million lost credit card numbers, and 56 million card numbers in the largest breach of 2014.

In August 2014, the United States Secret Service reported that over 1000 merchants had been affected by Back Off Malware. The issue became so dire that during a three month period, three press releases were issued dealing with the threat.

• Homeland Security and US Secret Service Back Off Malware Infection Assessment

• US Cert Alert (TA14-212A) Back Off-Point-Of-Sale Malware

• PCI Security Council Skimming Prevention Guidance

Attack Vector

Attackers, in many cases, are targeting POS systems with Windows embedded operating systems. Typically a card reader connects to a POS system. The card reader captures credit card information and sends it in clear text to the POS system where it is then sent via a TLS connection for authorization.

Ram scraper Malware is installed on the POS system to capture the clear text account data, read the information, and send it out to be sold on the black market (dark net).

Media sources indicated that systems were compromised through a variety of sources. They include (but are not limited to):

1. Direct attacks: (as reported by the US Cert)

2. Email/Phishing attacks: Target phishing email sent to third party vendor

3. 3rd party vendors: Home Depot crooks broke in using credentials from third party vendors

4. Insider threats: Sax Insider Credit Card Breach

5. Social Engineering/Physical Attacks: Michaels terminals were replaced through social engineering distractions

6. Compromise of vulnerable applications: JP Morgan attackers obtained a list of applications which they could crosscheck and attack

Attackers are using publicly available tools and the company's own systems to distribute malware. Attackers used the software distribution system to distribute malware

Malware Behavior

Once on a system, POS malware steals track data, payment account information, and other sensitive information. Each strain of malware is similar.

Reviewing the history of Malware shows it has been an issue since as early as 2008 when Visa Europe published an alert to merchants warning of POS RAM scrapers. The Verizon Data Breach Report in 2009 also reported it.

Since then, we've seen over 27 different version of POS Malware released and found on merchant systems. They have evolved and multiplied as attackers have learned how to avoid malware detection programs.

The behavior of the malware is:

1. To read computer processes that are present on a machine

2. Enumerate those processes

3. Read the memory, threads, and heaps

4. Utilize RegEx search patterns looking for sensitive data.

Data is usually credit card data but can also be passwords, encryption keys, logins, or anything else that can be used to steal data for monetary gain.

Attackers export stolen data from systems in a variety of methods, including email, FTP, File Copy, Tor, HTTP requests to web sites, or SSH/SSL connections.

Attackers send data out in clear text. To avoid a DLP (Data Loss Prevention) program, they hide it through hex encoding, base64 encoding, or encrypting it.

Data is then sold on black markets where attackers can clone cards to purchase items or fraudulently process transactions from E-Commerce merchants.

As Malware gains in popularity, development kits have been created to make it easy for non-programmers to implement. Scripting is also being used to create Malware.

Malware is taking on APT (Advanced Persistent Threat) characteristics in that it is avoiding Malware detection programs, updating itself, and putting logic in place to avoid or self-delete if detected by anti-malware programs. In one case, Malware was resident on systems since 2009.

Contrary to many reports, EMV (Chip and PIN Cards) would not have prevented breaches. It could have prevented card cloning if banks were performing checks of the security features of chip cards. In one case banks failed to perform checks.

Malware Defense

As companies work to defend against the rash of attacks, they can do several things to monitor for and protect their systems.

1. Address known issues.

2. Utilize IDS effectively.

3. Restrict external access. e.g. implement two-factor authentication.

4. Implement a comprehensive vulnerability management program.

5. Learn as much as possible about existing threats to know how to defend against them.

6. Learn about attack vectors. e.g. SET (Social Engineering Toolkit) or Shmoocon's 2014 talk "ADD Complicating Memory Forensics Through Memory Disarray"

7. Configure and use logs correctly: Michael Gough (MI2 Security, Hacker Hurricane) created some excellent resources for malware detection and windows logging. 1. Malware analysis spreadsheet 2. Malware Sentinel tool for Malware discovery 3. Windows Logging Cheat Sheet:

Additional resources

• MasterCards Article on understanding Malware

• Senate Kill chain Analysis

Metadata

Tags: POS, Malware, Breach, PCI, CreditCard theft, Hacking

Primary Author Name: Brandon Benson Primary Author Email: POSMalware@bmbenson.com