The Point-of-Sale (POS) breach of U.S. retail giant Target in December 2013, and last year’s high profile breaches at Neiman Marcus, Michaels, Dairy Queen, Home Depot, Kmart and Staples to name a few, have made POS malware notorious to retailers of any size. With the 2015 holiday shopping season in full steam ahead, security firms are warning about new and old POS malware threats that are lurking in retail’s cyberspace shadows. Be wary of these threats and protect your business by following the tips below.
Types of POS attacks
Hardware: Physical devices connected to the POS system to collect the card data that is stored on the credit or debit card’s magnetic stripe, referred to as ‘skimming’.
Software: POS malware refers to “RAM scraping” Trojan malware. The malware parses the RAM memory of a point of sale terminal endpoint, looking for credit and debit card data on the magnetic stripe that can be seized before it is encrypted. The malware scrapes that data encoded into the credit card’s magnetic strip to exfiltrate it. Once the cybercriminal receives the data, it is often trafficked to create fraudulent credit and debit cards. Since 2014, POS malware has become more sophisticated, using botnet capabilities with command and control servers, keylogging functionalities, and exfiltration schemes that send out the data at a pre-determined time or on demand, to single or multiple intermediate locations.
Old and new threats
Early detection of POS cyber-attacks is one of the most difficult challenges facing retailers. According to the 2015 Verizon Data Breach Report, retail POS attacks typically take weeks to months to detect.
Recently, two types of malware have been flagged:
1. Cherry Picker
According to researchers at Trustwave Spider Labs, this targeted POS memory scraper, which runs on Microsoft Windows 7 and XP operating systems using remote admin servers, has been around since 2011. Getting its name from basketball (a cherry picker is a player who instead of playing defense, waits for a pass near the opponent’s zone to make an easy score), this malware is configured towards a single objective of targeting a specific process that contains credit card data. It uses a memory scraping algorithm, encryption and obfuscation functions. It also has a cleaner component that removes the malware from the targeted system’s memory once the data has been exfiltrated. The sophisticated functionality, the appearance in highly targeted attacks, and the low detection rate due returning the system to a clean state, helped Cherry Picker remain under the radar of many antivirus and security companies.
Researchers at Proofpoint discovered this malware in October after noticing it download during an infection by banking Trojan Vawtrak. Vawtrak downloaded TinyLoader, a downloader that uses a custom protocol for downloading executable payloads from its command and control server. TinyLoader downloaded another shellcode downloader, which then downloaded AbaddonPOS. In Addition to Vawtrak, researchers found two other mediums for the malware to propagate: the Angler Exploit Kit, which uses a browser exploit to download Bedep, which then downloads Abaddon; and a malicious Microsoft Office document that downloads a Pony Loader, which then downloads Vawtrak, downloading TinyLoader, similar to the first exploit mechanism. AbaddonPOS targets credit card information by reading memory processes, but exfiltrates the data using a custom binary protocol.
As can be seen by the growing sophistication of these latest POS malware, this type of threat is constantly mutating. These attacks can no longer be detected with simple file signatures like many anti-virus products. It requires protection that can handle the changing and sophisticated behavior, such as the innovative cybersecurity solution offered by Deep Instinct that learns on its own to detect unknown malware that has yet to have a signature.
6 steps to protect your business against POS threats
1. Apply a strong password policy. Change the default passwords from the initial setup of online payment processing system. Use complex passwords, preferably computer-generated, and unique account names, and make sure to change them periodically.
2. Make sure your POS software is regularly updated. Similar to computers, leaving your system outdated without updating the latest security patches makes it vulnerable to exploits and attacks, especially because the operating systems (usually, Windows is fairly easy to exploit)
3. Block Internet access from the POS computers and terminals to avoid malicious websites while web browsing or phishing attempts via email.
4. Do not use remote access with IT personnel and administrators. Despite the convenience, cyber-criminals can exploit remote access configurations on POS systems to access the network.
5. If possible, implement Point-to-point Encryption (P2PE). P2PE is highly recommended, however it is a complex and expensive endeavor. It requires extensive software and hardware changes at all points of transactions processing — from the POS in the store to the back-end servers in the data center. Furthermore, despite the strong support for P2PE from the payment security community, only four solution providers are certified with the PCI P2PE standard, and at least two of them are located in Europe, mounting further difficulties in its implementation.
6. Install a cybersecurity solution that can thoroughly protect your endpoints against initial exploitation and data exfiltration by detecting and preventing unknown threats and sophisticated attack attempts in real time.
To learn more about the powerful protection Deep Instinct offers endpoints and POS terminals, click here.
Wishing you a safe and successful shopping spree!
 The data stored on the magnetic stripe is referred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account; it includes items such as the cardholder’s name as well as the account number. Track 2 data contains information such as the credit card number and expiration date.