Point-of-sale systems have long been the soft underbellies of retailers’ IT infrastructures. Vulnerable to many forms of malware as well as hardware devices such as skimmers, they are prime targets for any cyber criminals seeking to lift sensitive payment card data. In years past, the combination of weak security within PoS terminals and widespread use of magnetic strip cards (much less secure than chip and PIN cards, because capturing a particular card’s encoded data means you have it forever) in the U.S. has made PoS exploits a profitable form of cybercrime:
- North American retailer Target suffered one of the highest-profile PoS-related breaches in history in late 2013. Although many oversights added up to make the incident possible, PoS malware – in that case, the BlackPoS or Kaptoxa strain – played a central part. BlackPoS was capable of siphoning card data fed into compromised PoS terminals that were running a version of Microsoft Windows. After being found in Target’s systems, it later emerged as a cause of a similar breach at Home Depot.
- The PoSeidon software came to the fore as a problem for many hotels, bars and restaurants in early 2015, highlighting the shift in cybercriminal strategy from famous big box retailers to more vulnerable smaller merchants. This approach has the advantage of confusing banks and making it harder for them to figure out which merchants are accountable for payment card fraud, as security researcher Brian Krebs pointed out on his blog.
- In 2012, Trend Micro researchers analyzed the risks that malware posed to PoS systems within the hospitality and retail verticals in particular. Their white paper, “Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries,” even looked at BlackPoS before it came to greater notoriety years later with the incidents at Target and Home Depot. They noted that BlackPoS’s source code is freely available and that it also provides key technical advantages over other PoS malware, such as using FTP to send pilfered data to a server of the attacker’s’ choosing.
“Many PoS terminals are built using embedded versions of Microsoft Windows,” the researchers wrote. “This means that it is trivial for an attacker to create and develop malware that would run on a PoS terminal, if he can gain access to that terminal and bypass or defeat any running security solutions present. Sufficiently skilled and determined attackers can thus go after a business’s PoS terminals on a large scale and compromise the credit cards of thousands of users at a time. The same network connectivity can also be leveraged to help exfiltrate any stolen information.”
The ongoing evolution of point-of-sale malware: What to know as 2015 comes to a close
As the Trend Micro white paper demonstrated, PoS malware strains are a dime a dozen, offering many viable options to cybercriminals looking to go after big or small merchants around the world. Such threats to PoS systems are particularly problematic during the winter holiday seasons, when many businesses handle a sizable portion of all their yearly commerce in just a few weeks. The National Retail Institute has estimated that December sales alone represent more than 10 percent of yearly totals for retailers, with some specific types of merchants like diamond sellers seeing more than one-fifth of their yearly hauls during the Christmas month. The Target breach notably happened around the late fall/early winter holidays in 2013.
This holiday season, retailers and hospitality providers will once again have to fend off pressure from PoS malware. In mid-November, modifications to the Cherry Picker and Abaddon PoS strains were exposed by cyber security researchers, according to The Register. Between them, they demonstrated advanced techniques such as obfuscation mechanisms and remote administration capabilities, both of which are commonly associated with advanced persistent attacks. Cherry Picker is particularly noteworthy for the fact that it has been around for years, troubling the food and beverage sector and continually adding new capabilities to its arsenal.
As a whole, PoS malware has become highly sophisticated. It’s not just these two recently modified threats; BlackPoS was also notable for variants that were designed to only be operative during typical business hours (e.g., 10 am to 5 pm), as the Trend Micro researchers observed in the white paper we talked about earlier. Moreover, the trend toward a more varied set of targets – i.e., small merchants and not just big ones as in the past – seems to be accelerating as 2015 winds up and 2016 approaches.
SMBs are becoming the primary targets for PoS malware
A Trend Micro TrendLabs report reviewing Q3 2015, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” found that SMBs bore the brunt of the pain inflicted by PoS malware since many of them lacked adequate defense mechanisms to protect their extensive customer databases. They were also increasingly hit by what the report’s authors called “shotgun”-style attacks that throw a variety of threats at the target in hopes that one of them will connect. This approach is the opposite of that taken by targeted attacks or APTs.
“PoS malware targeting SMBs are not new,” Numaan Huq, Trend Micro Senior Threat Researcher, wrote in the report. “We’ve been talking about them for a while now. What’s new is that cybercriminals have shifted from using targeted-attack- style to traditional mass-infection tools like spam, botnets and exploit kits. What remain unchanged are the risks the malware pose to ordinary individuals making credit card payments.”
The number of PoS malware detections hit a fiscal year high in Q3 2015, at 304, compared to 183 in Q2 and 259 in Q1. SMBs accounted for 45 percent of these incidents in the third quarter, followed by the consumer segment at 27 percent and the enterprise sector at 19 percent. Although the report’s preparers had not expected such a sharp spike in PoS malware activity in Q3, the surge may have been the result of the spread of RAM scraping capabilities to a variety of toolkits for creating PoS threats. New scrapers were also found in the aforementioned Cherry Picker malware that has unfortunately reemerged just in time for the holidays.
Other techniques, such as the ones described by Huq, have also increased the danger posed by PoS malware. Brute force attacks – such as ones designed to ascertain login credentials – are sometimes dismissed for being simplistic and relatively easy to mitigate (e.g., by locking someone out after a certain number of failed attempts), but their general thrust of trial-and-error has carried over into the tactics and strategies of modern PoS malware distribution campaigns. The TrendLabs report described the use of “blast fishing” (a term borrowed from the fishing practice of using dynamite to stun entire schools of fish) to spam a ton of email addresses with malware-laced messages. A botnet facilitated this wide-bore cyberattack, which was designed to infect PoS systems by any means necessary.
What to do about PoS malware now and in the future
Pushing back against PoS malware requires a two-tier response. On one level, there are consumers, whose cards are the targets of PoS-focused attacks. They can reduce their own level of risk by using the chip and PIN cards that are now being rolled out by many banks and credit card networks, instead of the traditional magnetic strip cards. Chip and PIN technology is the much more secure option of the two.
On another level, there are the merchants themselves. Retailers et al can shield themselves from PoS malware and many other threats through a combination of hardware, software and access controls. Point-to-point encryption in hardware, disabling of remote Internet access, updated security software incorporating the latest signatures and implementing application control (whitelisting) technology are a few common measures for tackling the PoS threat.
Beyond that, the use of encryption and tight controls within the company data center and/or on the PoS system directly is essential. Tools such as Trend Micro Endpoint Application Control are tailor-made for preventing PoS malware from ever getting a foot-hold in the organization. Application Control offers a high performance, light weight agent that can be implemented with a lockdown policy that prevents any unknown (or unwanted) applications from executing/installing on the PoS system.
Application Control can be used in conjunction with Trend Micro Vulnerability Protection, providing the ability to virtual patch legacy operating systems that are often found in the PoS environment. Find out more about Application Control and Trend’s PoS solutions today on our official page and ensure that your organization is safe from PoS malware.