Point-of-sale (POS) malware is an information security ailment that, within less than seven years, reached colossal proportions and became more damaging to organizations than almost any other threat. Although this threat is less sophisticated than malware like banking Trojans, it can be hugely destructive due to the following:
- It directly affects many of a brand’s customers.
- It becomes public immediately after being discovered, usually by someone outside the victim organization.
- Its collateral damage involves customers, issuers, card associations and the victim’s own service providers (insurance, anyone?).
I would have collected some information about how much these card breaches cost the victim organizations, but after we all witnessed the Target breach — its detrimental financial results in both hard and soft costs, its damage to the brand and its executive team and the never-ending legal mess it is still struggling to resolve — I think we all get the point.
What Target was a victim of, as well as many other retailers and card processors that suffered a POS malware attack experienced, is the work of cybercriminals and organized cyber gangs who went after card data from customer transactions. The end goal is to rob the data and then use the card information in fraudulent purchases.
POS malware is actually a generic name for a growing number of Trojan families that are designed to scrape point-of-sale terminals’ RAM memory. It is designed to look for, grab and exfiltrate credit and debit card data from the endpoints that process and store it.
The notion of stealing payment card and PIN data is not new. Criminals always found card data to be highly lucrative and still use a number of real-world crimes to skim data in ATMs and card readers. They also try to compromise POS equipment installed at brick-and-mortar retailers to have the data stolen and streamed to them. Some criminals attempted sniffing data sent over Wi-Fi to back-of-the-house servers, but at the end of the day, all those physical crime scenarios demand deeper knowledge to tamper with the equipment and typically involve an insider.
You can easily infer that using POS malware is lucrative because it is considered a much safer and simpler way for cybercriminals to get their hands on large numbers of live payment cards without ever showing their face on security cameras.
What Does POS Malware Do?
Interestingly enough, POS Trojans all essentially work in the same way. They are called RAM scrapers because they aim to scan certain parts of POS terminal memory, find card data in there and send it to their botmaster.
Once a card transaction goes through on the POS terminal side, the card’s data is almost instantly stored on the endpoints the retailer has in place. In most cases the data is encrypted, which is also a compliance requirement for merchants. But while encryption is supposed to fully protect the data, there is a split second in which it is still unencrypted as it waits for authorization to complete, saved in process memory.
That split second is the tiny window of opportunity POS Trojans use to attack. They scan the RAM looking for card data and then scrape it from there, hence the name “RAM scrapers.”
On the technical level, POS RAM scrapers retrieve a list of running processes on the endpoint that handles the data, they load inspect each process’s memory and then they look for card data to grab from it. How did they figure out that they should attack on the RAM level? Well, most application vendors do not encrypt data in memory and for years have considered RAM to be safe. But today, RAM scrapers are generally injected into running processes and can intercept sensitive data from memory in an instant.
The malware scrapes the track-one and track-two card data encoded into the magnetic stripe. This data is valuable because it includes the card holder’s name, primary card number and security code, as well as other information about charge types permitted and some user details. Once they have the data, the Trojan is configured to send it out on a predetermined time, intending to appear as inconspicuous as possible, or it can be exfiltrated by the criminals on demand. Past attacks have shown that the cybercriminals favor sending the data to an intermediate location first and then collect it from there. This process is most likely part of their way to conceal themselves from a potential law enforcement investigation. This method was used in the Target breach, but it is also used by more recent POS malware operations, in some cases even sending the data to a number of places at the same time.
Sitting stealthily on POS terminals or the servers that store the transaction data, these Trojans can amass large numbers of cards and transmit them onward to the attackers and, unless detected, cause more damage with every passing hour.
How Are Retailers Getting Infected With This Stuff?
Unfortunately, getting malware on POS terminals has only been getting easier and easier with time. Is this illogical? Sure. But the reality of things is that, in the past, POS terminals were proprietary equipment issued by different vendors. They were different from one another and not typically open to any type of activity aside from processing payments. It used to be rather tricky to tamper with POS terminals unless one had physical access to the device.
Nowadays, POS terminals are simple computers, with either Windows or UNIX operating systems, which are comparable to using Windows XP. These systems are considered easy to exploit from a technical point of view, especially with the level of resources and sophistication cybercriminals have today. Exploitation possibilities only expand when employees have to use the terminal to receive email from chain store centrals, for example, or when they use the terminal for general Internet browsing, both of which greatly increase the chance of malware infection.
Factors that add more trouble to the mix are updates that need to be pushed to many terminals at once, which therefore require regular remote access to all of them; attackers prey on that event. Also, some merchants hire tech support from their POS vendor or from a third party, which leads to their installing remote control tools on the terminals for troubleshooting — another place for the criminal to try to sneak in. This entry point becomes even easier to manipulate when the merchant keeps the default password for remote access.
So getting into terminals is not all that difficult. Getting into data servers is a bit harder but clearly possible.
All This in Seven Years? When Did It All Begin?
Cyberattacks on point-of-sale terminals date back as far as 2005, when crime gangs began using ARP spoofing attacks to have transient payment card data sent to them. At the time, a group of attackers led by Albert Gonzalez managed to rob the data of over 170 million payment cards within two years.
RAM scraping started a few years later. The earliest official evidence of the scraping malware was described in a 2008 Visa alert. The technical principle used back in 2008 is what enables POS malware to scrape card data to this very day:
“A new type of exploit was identified during recent forensic investigations whereby hackers are installing debugging software on point-of-sale (‘POS’) systems to extract full magnetic stripe data from volatile memory (‘RAM’).”
While it was only available to the cybercrime elite at the time — most likely organized cybercrime lords who had the money to invest into developing this sort of project — RAM scraping became a gold mine for black-hat criminals who understood how to use it against retailers, financial service providers, food and beverage companies and the hospitality industry, to name a few.
It only took commercial cybercrime a couple of years to break through with POS malware for sale. Vendors in the Russian underground began selling Trojans like RDAsrv and mmon.exe (Kartoxa) in 2010 and 2011. By 2012, the source code of malware called BlackPOS was leaked, opening up the underground market to new creations that reused its code in many variations of the same beast. This is also when the most infamous bunch emerged and changed the crime scene forever: Dexter, Alina and vSkimmer became available to criminals on the global level, peddled in Russian-, English-, German- and Spanish-speaking venues.
The ensuing evolution was rapid, but nothing prepared retailers for the 2014 POS malware onslaught that resulted in highly publicized card breaches damaging brands like Target, Home Depot, P.F. Chang’s and many more. That year was the beginning of a new era for RAM-scraping Trojans, which marked the first time POS malware came with actual botnet capabilities, communicating with a central command-and-control (C&C) server, deploying a keylogger on the infected systems and using creative exfiltration schemes to send data to the attackers.
2014 can be called a quantum leap in both the technical makeup and popularity of POS malware, which left victim retailers picking up the pieces in the aftermath of attacks attributed to names such as BackOff, ChewBacca, Debacal, JackPOS, Soraya, BrutPOS, Poslogr, NewPosThings, FrameworkPOS and one of many new versions that sprung from the leaked BlackPOS source code.
Fast Forward to 2015
We only had to deal with five POS malware families up until 2013, faced eight new families in 2014 and then, six months into 2015, we already have seven new families to reckon with — and we still have two quarters to go. It seems that while the inner workings of POS malware are pretty clear at this point, stopping them before damage occurs proves to be the more challenging task.
2015 thus far has brought us names such as PoSeidon, FindPOS, FighterPOS, PunKey, NitlovePOS and MalumPOS, all of which were discovered within a matter of weeks. These Trojans were unearthed by security researchers who investigate actual attack incidents. In many of these emerging families, researchers note that new capabilities were built into the code. For example, a distributed denial-of-service (DDoS) module was added to FighterPOS. PoSeidon now runs a routine to steal remote control credentials from endpoints using LogMeIn. NewPosThings dumps virtual network computing (VNC) passwords, also used for remote control. Operations-wise, Punkey compromised data that was encrypted and sent to numerous C&C servers simultaneously to complicate investigation into where the data went. Moreover, Punkey is configurable malware, meaning it can be used to compromise a variety of POS system types. The most recent predator is MalumPOS: It attacks POS systems running on Oracle MICROS, a platform popularly used in the hospitality, food and beverage and retail industries.
Who Is Behind These POS Malware Attacks?
Actors that engage in this type of card data theft come from a number of crime grades. Overall, there are cybercriminals who facilitate the technical side, which includes the hacking, grabbing and exfiltration of data; on the other hand, there are criminals who facilitate the sale of the data or the actual use of card information in fraudulent card-not-present (CNP) scenarios.
Many times data repositories are sold in bulk to underground shops, which in turn resell them to fraudsters by the unit.
Since it became available for sale in the cybercrime black market, obtaining and using POS malware is simpler than ever. Even novice criminals can buy the malware and pay for technical help in underground venues. In a recent case, one man working alone was able to steal data on over 22,000 payment cards with a RAM scraper-subbed FighterPOS. The man targeted over 100 entities in Brazil using the malware.
POS malware becoming more accessible has resulted in attacks reaching epidemic proportions. With POS malware kits widely available, black-hat attackers don’t have to develop their own code from scratch, but rather ride on existing Trojans that they can enhance. Take, for example, the infamous BlackPOS. After this Trojan’s source code was leaked, the reused code was detected in other malware that accounted for some of the most high-profile attacks. BlackPOS itself has been available in the underground since February 2013, only costing about $2,000 for a basic license. Compared to the price tags of tens of thousands of dollars that used to be charged for banking Trojans, this is a very modest cost for criminals who can then net millions in fraud money.
Becoming More Resilient to POS Malware Attacks
So what is being done to stop POS malware, and what are some ways to become more resilient in the face of this threat? Let’s focus on the core issues:
- Keep malware from ever getting on POS terminals to begin with. The infrastructure that processes payments should be protected by means of a solution that is capable of stopping the exploitation attempt the second it happens, regardless of what new zero-day vulnerability is being leveraged.
- Encrypt that data. The main problem with card data theft is the tiny lapse of time when it is not encrypted. To help close that gap, information security professionals have been stressing the need to enforce end-to-end encryption. Technological solutions that keep the data obfuscated at all times are supposed to foil RAM-scraping attacks. If the data is always encrypted, criminals will end up with nothing they can use even if they do manage to steal it. Breaking the encryption is highly costly and arduous, making it a project most cybercrime gangs would never undertake.
- Block exfiltration attempts the second they occur. Failed in steps one and two? Cover your bases with the proper ability to detect and block the exfiltration of data out of your terminals and servers.
Great! So why doesn’t everyone just do that and shut POS malware down for good? Actually, that’s where things are going right now.
On the compliance side, PCI DSS v3.1 is the current enforcement of a new payment card security standard, which calls for immediately ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. The council demands stronger encryption be used, although many still believe it is not sufficient and should require full-disk encryption on terminals that process card payments.
The White House’s BuySecure executive order was put into place in late 2014 to accelerate the transition to stronger security technologies and the development of next-generation payment security tools. The ongoing transition to EMP cards is underway, with a purpose of deterring criminals from cloning data onto counterfeit cards. Once fully in place, these measures intend to drastically reduce the number and scope of POS malware attacks.
With all of the above, let’s keep in mind that information security is always a function of the organization’s size and the security budget it can put in place to buy technology and educate users about potential threats. Larger organizations are more likely to deploy an effective security and incident response plan. While they are the most lucrative targets for cybercriminals, it is the small and midsize businesses that stand to close down if a breach affects them. SMBs are considered more exposed because they have fewer resources to invest into security and because criminals know this and come after them. For the criminals, it does not really matter if they steal lots of cards from one big place or smaller amounts of cards from many places.
A Piece of Advice
Here are some protective measures that any organization can and must put into place to strengthen its security posture:
- Install specialized security solutions on the endpoints to prevent both the initial exploitation and the eventual data exfiltration.
- Isolate the POS terminals. Set up firewalls to segment the network and keep only those authorized in the protected zones.
- Limit the number of people allowed into protected zones.
- Use two-factor authentication for all access to your protected zones.
- Enforce end-to-end data encryption to the highest extent possible for your organization.
- Advocate and implement compliance best practices in your organization.
Principal Consultant, X-Force Cyber Crisis Management, IBM