With the holiday season upon us, we can expect the annual uptick in cybercriminals targeting merchants. Some of these attacks will involve the usual suspects of phishing attacks, malware and Trojans, but there are two particular attack vectors that are growing both in volume and sophistication: point-of-sale (POS) malware and loyalty card hacks.

Huge Spike in POS Malware

There has been a spike in POS malware over the past couple of years. In 2014, such malware came to be associated with botnet capabilities, increasing its attraction to criminals. Then, from the beginning of 2014 to mid-2015, 15 new families of POS malware were identified, all with more powerful capabilities than previous strains, targeting industries including retail, hospitality, food and beverage and travel.

Lax security — such as infrequent updates and patching at POS terminals — make these stations the weakest link in the chain. Many also run on Windows XP, which is no longer being patched by Microsoft.

According to Trustwave, around 40 percent of breaches in 2014 were POS-related. ABI Research estimated that the number of POS-related security incidents with confirmed data breaches will reach 600 by the end of 2015.

Smaller companies are more frequently being targeted by cybercriminals, with a shift seen from highly targeted attacks to those launched en masse. Many of these smaller organizations lack the security resources or budget to adequately secure their environment, which can lead to data breaches.

POS malware aims to scrape the RAM memory of POS terminals in order to steal credit and debit card data. It is particularly attractive for cybercriminals because rewards can be lucrative and they do not need to be physically present to execute an attack. In some cases, POS terminals are used by employees to receive email or to browse the Internet, both of which increase the chances of a malware infection. The latest POS malware seen uses encryption for the data that it exfiltrates, making it hard to know what data has been stolen.

Security incidents caused by POS malware can have negative consequences for a merchant’s brand. In many cases, the stolen card data and personal information can be used to make fraudulent purchases, which will likely dent customer loyalty and brand reputation.

Loyalty Cards Seen as Valuable Targets

There has also been an uptick in security incidents involving loyalty cards. According to the “2015 Colloquy Loyalty Census,” there has been a 26 percent increase in loyalty card scheme memberships in the U.S. since 2013. Additionally, the average household now belongs to 29 loyalty programs, of which 17 are inactive.

Read the IBM research report: The price of loyalty programs

Loyalty card accounts tend to be less secure than other types such as credit and debit, yet they offer some of the same benefits as real money. The cards themselves are also often inadequately protected, often with just a four-digit PIN or password. Consumers tend to use the same passwords for many accounts, which could lead to multiple accounts being compromised after one breach. According to CreditCards.com, of the 27 loyalty-related websites reviewed, half relied on simple PINs or passwords and just one-third used two-factor authentication.

Another concern with loyalty cards is the potential for identity theft. Many loyalty programs store a great deal of information, including names, birth dates, physical address, email addresses and payment card details, with some even storing other personal data such as income levels. This sort of information is extremely valuable to cybercriminals and can be used by an attacker to steal identity.

Cover All Your Bases

As one door closes — which will happen with credit card security as the EMV standard becomes more widely adopted — attackers will look to pry open another. The growth of POS malware and attacks on loyalty cards are evidence of this.

Such attacks are also becoming increasingly sophisticated. Any merchant relying on traditional POS terminals or loyalty programs should ensure that security is extended to these areas. Otherwise, losses could be large, particularly over the holiday season when consumers shop in droves and cybercriminals follow.

More from Malware

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read