A Breakdown of Different Types of Point-of-Sale Malware
Smaller banks and retailers may be slow to adopt newer security solutions, which makes them an easy target for online criminals seeking credit card data to steal, sell and use to commit fraud.
Point-of-sale (POS) systems process transactions made by consumers at retailers - when a credit or debit card is used, the information stored on the magnetic stripe is read by a POS system. SecurityWeek.com reports on a type of point-of-sale (POS) malware that targets these smaller organizations called TreasureHunt.
But TreasureHunt is just one of many POS malware families discovered in recent years by information security researchers. Here’s a rundown of the different types of POS malware and their various capabilities:
- May be custom-built to steal and sell stolen credit card data
- Exploits stolen or weak (brute-forced) credentials to install the malware on systems
- Creates a registry entry for persistence
- Extracts credit and debit card data from memory, sends to command and control server
- Captures track 1 and 2 payment card data by scanning running processes of a compromised machine, sending data to a web server using SSL
- Exploits spam emails to get users to download the malware - an attachment embedded with a malicious macro executes and downloads malware
- Adds itself to the Run registry key to ensure it runs after reboot
- Installs a keylogger that scans the memory of POS devices for credit card number sequences
- Keystrokes and credit card numbers are encoded and sent to exfiltration servers
- Keylogger could also be used to steal passwords, acting as the initial infection vector
- Achieves persistence by running in memory even if the user logs off, and evades detection using various obfuscation techniques
- Disguises itself as a display driver on the infected system
- Monitors running processes and scrapes memory for payment information
- Targets Oracle Forms, Shift4 systems, and other systems access via Internet Explorer, typically used in the hospitality industry
Source: Trend Micro
- Low detection rate in the wild, due to using a file infector for persistence and cleaner malware to remove traces of infection from systems
- The malware focuses on one process known to contain card data; requires prior system reconnaissance to target the process
- Uses an API to scrape memory, writes data to a file and sends to the attacker’s server
- Initial infection occurs after a user downloads a Word doc that downloads a series of malicious downloaders and malware to establish connections to an attacker’s command and control server - then installs AbaddonPOS
- Infection can also occur after an Angler exploit kit installs a series of downloaders and the malware
- Reads memory of all processes to search for credit cards, and checks the numbers against the Luhn algorithm
A few ways to reduce your risk of exposure and infection of these types of malware, and protect your customers’ payment card data:
- Use strong authentication and access controls. Always change default passwords, and enable two-factor authentication across all user accounts.
- Keep your devices and systems up to date. Running out-of-date operating systems, browsers, plugins, software, etc. can introduce weaknesses to your systems housing patient data. Invest in an endpoint visibility solution for device insight.
- Detect and block outdated devices from accessing your apps, which can reduce the risk of vulnerability exploitation.
Learn more about new risks to cardholder data and the retail industry in Duo’s Modern Guide to Retail Data Risks: Avoiding Catastrophic Data Breaches in the Retail Industry.
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.
Download our free guide today for a detailed overview of the retail industry's current state of security, and recommendations on safeguarding customer financial information.