PoS Malware Poised to Ring in the 2015 Holiday Season
Attacks targeting online retailers have jumped 25 percent from the previous quarter, according to ThreatMetrix, as reported by Tech Week Europe.
Accordingly, a few new and revamped versions of point-of-sale (PoS) malware have made the news recently for their ability to evade detection and target the exact location of customer credit and debit card data - just in time for the holiday season! Just kidding. They’ve probably been around for awhile, but we’re now getting to know them better through some great security research.
A point-of-sale (PoS) malware called Cherry Picker is now in its third generation, since emerging in 2011. The malware is adept at hiding itself by using encryption, obfuscation, configuration files and more to remain undetected for a long time, according to DarkReading and Trustwave researchers.
The malware targets the retail industry, specifically food and beverage retailers, scraping customer cardholder data from the memory of infected PoS systems. Earlier this year, a report from Trustwave revealed that PoS systems and assets were associated with 95 percent of breaches found in the food and beverage industry.
RAM scrapers have grown in use, popping up in some of the most high-profile retail data breaches of the year, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).
Verizon 2015 Data Breach Investigations Report (DBIR)
The report also recognized that both large enterprises and small retailers and restaurants saw a continuation of PoS attacks in 2014. Yet, the approach is different for small and large retailers. Smaller retailers were the target of direct PoS device attacks via brute force (password-guessing attacks). Larger retail organizations required a more tiered approach, with PoS compromise only after an initial attack on a secondary system.
And not just retailers are targeted - attackers will move a step up the chain to target PoS vendors that provide the software or services for retailers. A smart choice, given that one PoS vendor can hold the keys to dozens of retail clients’ systems.
In the cases that Verizon investigated, all of the breached PoS vendors had their remote access credentials compromised, allowing remote attackers to easily harvest cardholder data.
But back to Cherry Picker - the malware also draws less attention to itself by focusing on only one process that’s known to contain card data, according to researcher Eric Merritt. Plus, it destroys any hardcoded malware and exfiltration file locations, as well as its executable itself, completely removing any trace of the malware.
Another new PoS malware found by Proofpoint researchers in early October called AbbadonPoS was discovered during an investigation into a banking Trojan infection. In what seems to be a domino-style infection chain, Vawtrak (the banking Trojan) would download a downloader that downloaded another downloader, which downloaded the shellcode turning into AbaddonPoS, according to Threatpost.
This type of malware can also obfuscate code, target the precise location of cardholder data and more, showing an advancement in features and complexity.
All of this means it can be harder to detect PoS malware on retailer and PoS vendor systems. But aside from detection, another approach can be prevention - stopping remote attacks that rely on stolen remote access credentials in order to directly access PoS systems or as an entrypoint into a secondary system.
With an access security tool like two-factor authentication, attackers can’t log in without access to a user’s personal device. Prevention isn’t dead - we just need to apply some simple and effective security basics, which can reduce risks significantly, instead of layering on complex security solutions that may not be as effective.
Learn more about how to protect against modern attacks in our detailed guide.
Ideal for CISOs, security, compliance and risk management officers, as well as IT admins and professionals, our free eBook: A Modern Guide to Retail Data Risks provides guidance on:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model