As the holiday shopping season looms large, many customers have the threat of a retail data breach at the forefront of their minds. This has been a banner year for cyber intrusions and many of the highest profile attacks involved malware targeting point of sale systems. And of course, the Target breach – possibly the most infamous on of all – was caused by malware lurking in the store’s POS systems.
According to recent research by security firm Damballa, attacks using BackOff POS malware grew dramatically in the third quarter of this year, with infections increasing 27 percent between August and September alone. A statement released by the Department of Homeland Security earlier this year seems to back up these numbers. The DHS warned that more than 1,000 retailers have fallen victim to an attack using BackOff.
There’s no doubt that cybercriminals will be active during the holiday season. According to the report, the average company had 37 infected devices on their network in the third quarter of 2014. If the last few months were any indication, the threat to financial information will be high in the weeks leading up to the new year, warned Damballa CTO Ben Foster.
“The threat actors are going to be burning the midnight oil trying to get credit card data going into the holiday season,” said Foster. “Retailers need to be prepared and diligent in the fourth quarter.”
POS malware: An evolution
A report recently released by Cyphort Labs traced the evolution or POS malware that has taken place over the last few years and exposed the variations that have arisen in different packages and families that have been customized for specific attacks. The study identified three main families of retail malware associated with three major breaches from the last year: Home Depot, Target and UPS, using FrameworkPOS, BlackPOS and BackOff respectively.
“Looking at the modes of operation of the three families one can clearly identify two directions: one from the targeted attacks on Target and Home Depot, and the other from the more generalized approach of Backoff,” wrote researchers with Cyphort Labs. “Targeted attacks are identified by the fact that the attacker chooses the target and specifically designs the attack, while in a general approach, the nature and identity of the victim are unknown to the attacker.”
Both the FrameworkPOS and BlackPOS malware are designed to be used in attacks against specific targets and have multifunctional components to ensure persistence, memory scraping capabilities, process enumeration and data exfiltration. The appearance of the multi-step approach in all-inclusive packages is the result of years of testing and refinement of these attacks in underground environments.
BackOff malware is growing in popularity because it is highly skilled at remaining undetected by traditional anti-virus software, and several new variations were recently discovered that proved even more adept at avoiding detection. Where it once disguised itself as a Java component, the new versions of BackOff now appear as a media player and employ hash functions for APIs and the names of blacklist processes. Modifications were also made to the command and control component to make detection even more difficult, and a custom packer was added for the same purpose.
Lack of awareness benefiting hackers
According to a recent Trend Micro white paper entitled, “Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries,” POS systems are especially vulnerable to cyber attacks because of the role they play in a business and their exposed network locations. Hackers can gain access to POS stations to install malware in a variety of ways. Attackers can manually install the bug onto a system, although this can prove difficult as the terminals are almost constantly manned by employees. A different method involved hacking into a company’s network, where cybercriminals can tap into a system that shares a connection with the POS terminals. Such was the case in the Target breach, where hackers gained access through the store’s heating and cooling system.
Most organizations fall prey to malware infections not because of the sophistication of the attack, but because of a lack of awareness and an inability for enterprises to detect malicious activity on their networks.
“If a retailer is relying on antivirus to protect their point-of-sale machines from malware that is focused on stealing financial information for monetary gain, they are going to lose,” said Foster. “It is still not clear to me that a lot of retailers have got that message.”
Protecting retailers from POS malware
In its white paper, Trend Micro offered a variety of methods to employ in order to protect POS terminals from malware, including implementing hardware-based point-to-point encryption, disallowing remote access and frequently deleting cardholder data from the system.
To defend networks against attacks, Trend Micro researchers recommended deploying Deep Security. This form of protection is able to restrict communication in and out of an environment through a customizable firewall. Deep Security Intrusion Prevention makes it easy to secure constantly-changing networks against potential exploits. The defense method provides automatic security updates that ensure the correct protections are in place before a patch is even necessary to eliminate the threat of vulnerabilities. Deep Security Anti-Malware is also beneficial to enterprises, as it provides reputation detection to defend against not only malware, but URLs that are known to be malicious.
With the holiday season almost upon us, consumers are going to be shopping in record numbers. Retailers that take steps to protect their customers information from hackers will be rewarded with shopper loyalty and increased revenue.