
Once again, point-of-sale malware has been making headlines. A few new recent attacks have again brought the importance of protecting against this kind of malware to the forefront of cyber security managers' minds. In the past, POS malware has been in and out of the limelight, with one of the most important examples being the attack on Target's systems that impacted more than 40 million people in 2013.
POS malware attacks can be devastating to companies' reputations and pocketbooks alike. Target had to pay victims of this attack $10 million on top of whatever damage inflicted on its brand image after rampant credit card fraud took place after the breach. This attack serves as a warning to retailers around the world about the consequences of infiltration by POS malware, but events like these – albeit on a smaller scale – continue to occur.
MICROS terminals impacted by breach
One incident of POS malware occurred recently to the detriment of an Oracle division called MICROS. This company is one of the world's top three POS services, with systems being used at more than 300,000 cash registers around the world. In early August, however, MICROS suffered a security breach that impacted around 700 systems. According to cyber security expert Brian Krebs, intruders inserted malicious code into the support portal for the POS software, which allowed them to steal customer usernames and passwords.
"A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle's network that was then used to compromise additional systems," Krebs wrote. "Among those was a customer 'ticketing portal' that Oracle uses to help MICROS customers remotely troubleshoot problems with their [POS] systems."
Krebs also noted that the malware may have been connected to a Russian hacker group called the Carbanak Gang, which is part of a crime syndicate that has reportedly stolen more than $1 billion from banks and retailers across the globe. This means that this incident isn't something to simply brush off; if this crime group were to gain access to more MICROS portals or other Oracle networks and cloud service offerings, it could be very bad news for the tech giant.
PunkeyPOS reemerges
On top of the MICROS breach, other POS malware continues to flourish. According to Security Intelligence contributor Larry Loeb, PunkeyPOS, which came to light earlier this year when it infected hundreds of restaurant sales terminals, has a new friend called POSCardStealer.
The criminal group responsible for PunkeyPOS uses legitimate LogMeIn credentials. LogMeIn is a program retailers and other businesses use to manage remote devices – in other words, these hackers are merely taking advantage of weak logins in order to infiltrate these systems. The POSCardStealer malware appeared during a PunkeyPOS attack, and would download itself to systems running the LogMeIn software.
"After 14 hours, the crooks would order one of the infected systems to download and install the PoS malware," Softpedia contributor Catalin Cimpanu wrote about the incident. "This was only a test, and if after ten minutes everything worked out, the crooks would tell all compromised systems to do the same."
The strategy behind POS malware
The MICROS incident and the PunkeyPOS/POSCardStealer attacks are only two of the latest in a long line of cyber threats against retailers running POS software from their sales terminals. Short of going back to pencil and paper transactions, how can businesses prevent these attacks? And how do incidents like the one that impacted MICROS happen in the first place?
Trend Micro researchers noted that there are five main ways that POS attacks happen (although other forms of malware can gain access to your network through these paths, as well):
- Phishing and social engineering: when hackers take advantage of unsuspecting computer users to worm their way into company networks via legitimate-looking emails or surprisingly convincing phone calls.
- Employee on the inside: an employee who willingly serves as an ingress point for malicious activity.
- Vulnerability exploitation: when malware infiltrates a system that hasn't been updated with the latest security patch.
- Non-compliance with PCI DSS guidelines: failure to abide by the industry's regulations concerning security, which evolved last year to include EMV chip usage.
- More sophisticated targeted attacks: when hackers get on the network using advanced techniques.
POS malware like the kind that impacted Target, MICROS and countless others is only one variety of malicious code out there. This leaves the question: How do you prevent these kinds of incidents from happening? Deep packet inspection and application control tools are critical to use when attempting to keep POS malware out of your systems.
Point-of-sale malware sprung into the limelight with the Target hack and other high-profile attacks, and these kinds of malicious programs continue to be a thorn in cyber security managers' sides. Investing in security solutions is part of an effective strategy to keep bad code out of your networks.