According to Trend Micro Q3 2015 Security Roundup, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” Point of Sale (PoS) Random Access Memory (RAM) malware targeting Small to Medium Businesses (SMBs) is on the rise. Some threat actors have now industrialized PoS RAM malware by deploying traditional mass-infection tools such as spam, botnets and exploit kits which we expect to be a sizeable threat for SMBs for the foreseeable future.
PoS RAM malware is only the most recent threat that SMBs have faced. In fact, they have been the target of opportunity for criminal gangs for centuries. Historically, SMBs were, to a much lesser extent today, cash-based enterprises that largely faced physical theft of goods, services, cash and checks. It was not until the 1980s did we see a fundamental shift to and reliance on noncash payment systems—including general-purpose and private-label card systems, automated clearinghouse (ACH), and checks. Fraud losses in noncash payment systems alone have increased from approximately $110 million in 1980 to more than $16 billion in 2015.
Large-scale payment card data theft facing SMBs prior to the 1990s were concentrated physical breaches, whereby card data and even bank account data were physically compromised through skimming (physical copying of track data from the magnetic stripe) operations. Even with the advent of new, more complex payment systems, criminal gangs still predominantly targeted SMBs at the local level. They continue their offensive today through targeted skimming operations on financial, hospitality and retail organizations.
Cyber comes into play
The globalization of the Internet in the 2000s ushered in the globalized cybercriminal gang. This new brand of criminal enterprise has evolved along with the ecosystem that supports it, the Deep Web. Cybercriminals have been extremely successful in adapting not only to technology advances in payment systems but, equally to their associated security controls.
In the early 2000s they targeted businesses that processed, transmitted and/or stored large amounts of unencrypted payment card data as evidenced by breaches to large retailers such as TJX and processors like Heartland Payment Systems. Likely in response to Payment Card Industry mandates requiring the use of strong encryption with all payment card data at rest and in transit, by the mid-2000s cybercriminals had adapted and began focusing efforts on harvesting card data in memory.
Even though, by most accounts, PoS RAM malware was let loose around 2008, it didn’t really gain wide attention until the massive Target breach, and numerous other retail breaches of 2013 and 2014.
What has made PoS RAM malware and the cybercriminal groups behind their use so effective? It has been the evolution of the malware and the threat actors behind it. Today, PoS RAM malware is highly-specialized and customizable:
These cybercriminal groups have evolved as well and have successfully targeted and infected thousands of PoS terminals in large retailers to aggregate and obtain millions of credit card accounts. Most recently, Hilton and Starwood Hotels reported breaches using PoS malware, although it is still not known which malware family was recovered.
SMBs under assault
During the last few years SMBs have not been immune either. They have been equally affected in aggregate by PoS malware, however they do not get equal billing when it comes to media attention. According to the Trend Micro Security Roundup, PoS RAM malware detection was up 66 percent, with 47 percent of those targeting SMBs.
This increase in infection rates can be attributed to threat actors leveraging mass infection tools, including the Angler Exploit Kit, Andromeda Botnet and traditional malware laced-spam. This new infection strategy, coupled with inherently vulnerable SMBs with little or no cybersecurity strategies or programs, ultimately lead to the greatest threat SMBs will face in the coming year.
Recommendations and Solutions
Trend Micro and its complete security solutions have been very successful in reducing detection time and patching against potential threats. However, only by deploying a multi-layered security program within your organization can a risk management strategy be resilient against cyber attacks.