• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Malware   »   The Evolution of PoS Attacks – More sophisticated and Targeted than Ever

The Evolution of PoS Attacks – More sophisticated and Targeted than Ever

  • Posted on:December 2, 2015
  • Posted in:Malware, Security, Small Business
  • Posted by:
    Ed Cabrera (Chief Cybersecurity Officer)
0

According to Trend Micro Q3 2015 Security Roundup, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” Point of Sale (PoS) Random Access Memory (RAM) malware targeting Small to Medium Businesses (SMBs) is on the rise. Some threat actors have now industrialized PoS RAM malware by deploying traditional mass-infection tools such as spam, botnets and exploit kits which we expect to be a sizeable threat for SMBs for the foreseeable future.

PoS RAM malware is only the most recent threat that SMBs have faced. In fact, they have been the target of opportunity for criminal gangs for centuries. Historically, SMBs were, to a much lesser extent today, cash-based enterprises that largely faced physical theft of goods, services, cash and checks. It was not until the 1980s did we see a fundamental shift to and reliance on noncash payment systems—including general-purpose and private-label card systems, automated clearinghouse (ACH), and checks. Fraud losses in noncash payment systems alone have increased from approximately $110 million in 1980 to more than $16 billion in 2015.

Large-scale payment card data theft facing SMBs prior to the 1990s were concentrated physical breaches, whereby card data and even bank account data were physically compromised through skimming (physical copying of track data from the magnetic stripe) operations. Even with the advent of new, more complex payment systems, criminal gangs still predominantly targeted SMBs at the local level. They continue their offensive today through targeted skimming operations on financial, hospitality and retail organizations.

Cyber comes into play

The globalization of the Internet in the 2000s ushered in the globalized cybercriminal gang. This new brand of criminal enterprise has evolved along with the ecosystem that supports it, the Deep Web. Cybercriminals have been extremely successful in adapting not only to technology advances in payment systems but, equally to their associated security controls.

In the early 2000s they targeted businesses that processed, transmitted and/or stored large amounts of unencrypted payment card data as evidenced by breaches to large retailers such as TJX and processors like Heartland Payment Systems. Likely in response to Payment Card Industry mandates requiring the use of strong encryption with all payment card data at rest and in transit, by the mid-2000s cybercriminals had adapted and began focusing efforts on harvesting card data in memory.

Even though, by most accounts, PoS RAM malware was let loose around 2008, it didn’t really gain wide attention until the massive Target breach, and numerous other retail breaches of 2013 and 2014.

What has made PoS RAM malware and the cybercriminal groups behind their use so effective? It has been the evolution of the malware and the threat actors behind it. Today, PoS RAM malware is highly-specialized and customizable:

  • Customization usually comes in a single binary package; including varied networking functionality (e.g., File Transfer Protocol [FTP], Tor, HTTP, etc.) to receive commands from command-and-control (C&C) servers
  • Exfiltrates stolen card data to remote servers
  • Leverages encryption for secure exfiltration through multiple channels;
  • Equipped with a kill switch functionality to effectively remove all traces of a breach
  • Incorporates development kits for further customization for targeted attacks

These cybercriminal groups have evolved as well and have successfully targeted and infected thousands of PoS terminals in large retailers to aggregate and obtain millions of credit card accounts. Most recently, Hilton and Starwood Hotels reported breaches using PoS malware, although it is still not known which malware family was recovered.

SMBs under assault

During the last few years SMBs have not been immune either. They have been equally affected in aggregate by PoS malware, however they do not get equal billing when it comes to media attention. According to the Trend Micro Security Roundup, PoS RAM malware detection was up 66 percent, with 47 percent of those targeting SMBs.

This increase in infection rates can be attributed to threat actors leveraging mass infection tools, including the Angler Exploit Kit, Andromeda Botnet and traditional malware laced-spam. This new infection strategy, coupled with inherently vulnerable SMBs with little or no cybersecurity strategies or programs, ultimately lead to the greatest threat SMBs will face in the coming year.

Recommendations and Solutions

  • Install Payment Application Data Security Standard-compliant payment applications
  • Deploy anti-malware security tools with web, file and email reputation to protect against malware attacks.
  • Use network, cloud and host based IDS/IPS tools to shield unpatched vulnerabilities.
  • Use trusted firewalls to provide a customizable perimeter around servers.
  • Assign a strong password to security solutions to prevent application modification, using two-factor authentication (2FA) whenever possible
  • Ensure checksum comparisons are conducted to validate any automatic updates from third parties
  • Disable unnecessary ports and services, null sessions, default users and guest.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis
  • Implement least privileges and ACLs on users and applications in the system

Trend Micro and its complete security solutions have been very successful in reducing detection time and patching against potential threats. However, only by deploying a multi-layered security program within your organization can a risk management strategy be resilient against cyber attacks.

Related posts:

  1. The Evolution of Targeted Attacks in a Web 3.0 World
  2. Windows security and the evolution of targeted attacks
  3. Advanced targeted attacks: Practical Advice on Protecting your Business
  4. EvilGrab and Targeted Attacks/APTs in 2Q 2013

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.