Point-of-Sale Malware Continues to Plague Retailers in 2015
If you have credit card data, they will come. While retail data breaches appeared to be in vogue last year, they haven’t exactly gone out of style quite yet - Zoup, a soup eatery chain, and Natural Grocers, a health food chain may be victims of credit card theft, according to Brian Krebs.
Retail data breaches ran the gamut of all types last year, from franchise restaurants like Dairy Queen and Jimmy John’s to major big box retailers like Target and Home Depot. Other types hit by attackers include nonprofits (Goodwill), a shipment and logistics company (UPS), a luxury department store (Neiman Marcus), office supplies (Staples), and even parking service companies.
These companies typically had a few things in common:
- They used third-party point-of-sale (POS) vendors and software to handle customer transactions
- They dealt with customer credit card data
As KrebsonSecurity.com reports, Troy-based POS vendor NEXTEP is currently investigating a breach of their systems. As a provider of POS solutions for restaurants, corporate cafeterias, casinos, airports and other food services, a breach that affects their systems could affect a wide range and high number of individual locations and customers.
One of their clients is Zoup, the chain of soup eateries operating across the northern U.S. and Canada. According to Krebs, sources within the financial industry have identified fraud connected with the chain. The chain is referring breach inquiries to their POS vendor, despite the fact that many major chains that were breached have chosen to investigate internally and notify customers of a breach of their card data - even if their POS vendor was to blame.
In early March, Krebs also reported on a breach of Natural Grocer in which attackers targeted weaknesses in the company’s database servers, moving laterally within their internal network to install malware on their POS systems.
This is a common attack profile, as also reported by Mandiant’s latest M-Threats report, A View from the Front Lines. The security consulting company found that retail data breaches have increased from four to 14 percent over the last year, using their own investigations as a data source.
A typical retail breach starts with exploiting application virtualization technology that allows users to connect remotely to a desktop environment. Mandiant reported that in every case they investigated, they saw a “primary security gap: remote access to the application required only a username and a password. Two-factor authentication would have helped control this attack vector.”
From there, attackers moved laterally within the network by exploiting misconfigurations and finding other weaknesses in order to elevate privileges and gain access to new systems. Password-dumping tools were also used in order to steal Windows passwords, leveraging the lack of two-factor authentication to eventually gain access to the domain controller via open ports from the retail to the corporate domain.
Since all cash registers throughout the retail chain authenticate to the central domain controller, attackers with access to the domain controller could directly install POS malware on all of the registers in each store location. Learn more about the attack process in Inside a Retail Hack: Lateral Movement & Credential-Harvesting.
POS malware is designed to exfiltrate customer payment card data and send it back to a command and control server controlled by the attackers. A certain type of POS malware was used by attackers in January to target POS systems provided by Denver-based Advanced Restaurant Management Applications (ARMA). Several Colorado restaurants that all used ARMA to process their customers’ credit cards were affected, as SteamboatToday.com reported.
The “Backoff” POS malware family was recognized by the U.S. Computer Emergency Readiness Team (CERT) in an advisory released in July of last year. The malware can scrape the memory of POS systems for track data, including account numbers, customer names, expiration dates, etc. The malware can also log keystrokes (steal passwords) and connect with command and control servers.
Since passwords are involved in several stages of retail and POS system attacks, strengthening your authentication security can prevent remote access breaches. As Mandiant recommended in their report referenced earlier, two-factor authentication provides another layer of security by requiring the use of a personal device to verify your identity and grant you access to your applications and networks.
Additionally, POS software providers should consider themselves prime targets for attackers seeking troves of customer payment data to steal. Retailers should rethink contracting with third-party vendors to ensure they’re up to par with PCI DSS and PA DSS requirements, and that they’re practicing best security practices.
To learn more about the latest attacks and how to defend against them, download our ebook, A Modern Guide to Retail Data Risks.
In this guide, we'll explore:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.