POS Malware Analysis

technology articles 5/5 (3)

Recently, sophisticated criminal groups have successfully compromised different networks, exploited point-of-sale systems and spies, massive amounts of credit card data from well-known retailers including one of the largest retailers in US Target Corporation.

One of the key weapons in these criminal groups’ arsenal is customized malware specifically designed to target point-of-sale systems such as Chewbacca, Backoff, BlackPOS, and Kaptoxa.

POS Malware is malicious software is expressly written to steal customer payment data — especially credit card data – from retail checkout systems. Criminals often purchase POS malware to steal customer data from a retail organization with the intention of selling the data rather than using it directly.

For example, Clothing retailer Eddie Bauer LLC was compromised by POS malware at more than 350 retail stores in the United States, Canada and other international markets from January 2 until July 17, 2016.

Eddie Bauer’s CEO Mike Egeck,  interestingly described the security breach at Eddie Bauer as “part of a sophisticated attack directed at multiple restaurants, hotels, and retailers,” which is likely an indirect reference to recent security incidents involving POS malware attack at  Fast food chain Wendy’s , HEI hotels and resorts and software giant Oracle Corp .

POS systems are everywhere and vulnerable to attack. Intrusion methods vary but usually exploit the fact that POS terminals are frequently connected to LAN lines and computer terminals where employees also manage email accounts and surf the web.

Attacks might also take advantage of other vulnerabilities, such as default log-ins and single-factor authentication.  These weaknesses create a foothold for introducing malware that steals payment card information from a POS terminal by leveraging its memory after card swipes (e.g. RAM scraping) or that captures valid controller credentials using old fashioned keylogging techniques.

Cybercriminals attack transaction data that resides in memory because it is the easiest to target. As attacks become more sophisticated and larger in scope, data at rest and in transit will also be targeted.  Cybercriminals use POS RAM scrapers to steal the data instantly that is only available unencrypted in memory. The credit card information is then sent to the attacker’s remote computers, to be subsequently sold on underground sites.

Using remotely-controlled POS malware, for example, criminals can operate from outside the countries they attack, thus making them more difficult to track. Fresh “dumps” of harvested card data can be easily sold via dedicated dump sites anywhere in the world. Buyers can purchase this data to commit online fraud; create and sell fake cards or prepaid cards; or distribute these cards to low-level money mules who commit in-person fraud at retailers or via ATMs.

These POS malware attacks are not very complicated and security experts emphasize that simple controls and better practices with respect to POS systems can achieve far greater protection for customer data. Following recommendations should be fairly easy to implement effectively and maintain them throughout :

  1. Isolate the POS environment from the company’s other networks and online assets.
  2. Default logins should be changed and use multi-factor authentication for POS credentials.
  3. Regularly monitor POS systems for malware and unusual activity.

Please rate this content