The celebration of Thanksgiving and Black Friday last week marks the start of the holiday shopping season for majority of the world. For most, this means vacations, family, friends, traveling, and of course, shopping. This is also the time for watching feel-good holiday movie reruns on television. One of my favorite movies is a Steve Martin comedy from the ‘80s called “Planes, Trains & Automobiles.” This blog post is not about that movie but it does borrow heavily from its title.
PoS Malware, Now Mainstream
It should be remembered that it was around this time last year that U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware. Since the start of this year, point-of-sale or PoS malware have become mainstream and attacked merchants both big and small. 2014 is also the year when we saw PoS malware mature as a threat. New PoS threats have emerged in time for this year’s holiday shopping season and we even managed to get a peek inside a PoS scammer’s toolbox.
PoS malware have been mostly constrained to retailers and merchants, but it now looks like PoS malware have branched out from shopping malls to airports, metro stations, and parking lots.
Researchers from security firm Census presented an interesting paper about point-of-sale attacks targeting travelers at DEFCON2014 last August. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. Their investigations were carried out inside an airport in Greece. They targeted a centrally located kiosk in the terminal’s public space. The kiosk supported functionality for passengers to purchase Wi-Fi credits, make VoIP calls, and scan their tickets to check flight times. They found the kiosk had Internet connectivity, exposed USB ports, poor keyboard input sanitization, no installed antivirus software, and administrator privileges.
The researchers created custom malware and infected the kiosk using a simple web attack. Airlines use the Bar Coded Boarding Pass (BCBP) on tickets, which contain passenger information; BCBP specifications can be found using a simple Google search. The scanned BCBP data—either printed ticket or QR code on mobile phones—is decoded in the kiosk’s RAM. Knowing the BCBP format allowed the researchers to scrape the data from the kiosk’s RAM using the same techniques PoS RAM Scrapers use to steal payment card data. Their experiments demonstrate an attacker could easily infect the kiosks with payment card data stealing PoS malware.
Security firm IntelCrawler recently blogged about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities. IntelCrawler displayed a picture of a compromised ARST ticket-vending kiosk in Sardinia, Italy. The attackers gained access into the ticket-vending kiosk using Virtual Network Computing (VNC). Customers purchase bus and train tickets from these ticket-vending kiosks, making them lucrative targets for harvesting payment card data. One of the recently discovered PoS RAM scraper families, NewPosThings, attempts to harvest VNC passwords from compromised systems. Other PoS RAM scrapers like BrutPOS and Backoff use Remote Desktop Protocol (RDP) to access the compromised systems.
News came out last week on Friday that a professional parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities in the US. A third-party vendor maintains the parking facility’s payment card systems. The attacker used the third-party vendor’s Remote Access Tool (RA) to gain access to the payment processing systems. The attacker then installed malware that harvested the payment card data collected at the parking facilities. The third-party vendor was not using two-factor authentication for remote access, which made it easier for the attacker to gain entry and exploit the systems. The company’s parking facilities were infected in Chicago, Cleveland, Evanston, Philadelphia, and Seattle—basically, a coast-to-coast infection.
From these three cases, we can make the following observations:
- The cybercriminals are incorporating remote administration functionalities in the PoS malware. This is because the RAT + RDP/VNC functionality allows them entry into payment/e-services kiosks.
- Any Internet-connected device that processes payment card data should be viewed as a target, regardless of its location. Users should never assume that e-service kiosks in airports, train stations, or even parking lots have the same or right level of security as in other kiosks.
- In a connected world, security policies need to transcend borders. The responsibility of security rests on several key players: the device manufacturer, the service providers/vendors, and even the banks and credit card brands–all to protect consumers.
Additional information and appropriate solutions for PoS malware can be found in our paper, “PoS RAM Scraper Malware: Past, Present, and Future.”
Update as of December 17, 2014, 12:08 PM PST
Reports say that a data breach recently hit another parking service or some component of its online card processing system. The Atlanta-based offsite airport parking service, Park ‘N Fly, allows customers to reserve parking spaces slots via an online reservation system. According to Park ‘N Fly’s statement: “While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.”
Park ’N Fly provides parking related services all over the United States and owns, leases, and manages 16 off-airport parking properties in 14 markets, in addition to operating a network for pre-booked parking for 85 affiliates across the US.