• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

  • Posted on:December 4, 2014 at 2:37 am
  • Posted in:Malware
  • Author:
    Numaan Huq (Senior Threat Researcher)
0

The celebration of Thanksgiving and Black Friday last week marks the start of the holiday shopping season for majority of the world. For most, this means vacations, family, friends, traveling, and of course, shopping. This is also the time for watching feel-good holiday movie reruns on television. One of my favorite movies is a Steve Martin comedy from the ‘80s called “Planes, Trains & Automobiles.” This blog post is not about that movie but it does borrow heavily from its title.

PoS Malware, Now Mainstream

It should be remembered that it was around this time last year that U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware. Since the start of this year, point-of-sale or PoS malware have become mainstream and attacked merchants both big and small. 2014 is also the year when we saw PoS malware mature as a threat. New PoS threats have emerged in time for this year’s holiday shopping season and we even managed to get a peek inside a PoS scammer’s toolbox.

PoS malware have been mostly constrained to retailers and merchants, but it now looks like PoS malware have branched out from shopping malls to airports, metro stations, and parking lots.

Planes

Researchers from security firm Census presented an interesting paper about point-of-sale attacks targeting travelers at DEFCON2014 last August. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. Their investigations were carried out inside an airport in Greece. They targeted a centrally located kiosk in the terminal’s public space. The kiosk supported functionality for passengers to purchase Wi-Fi credits, make VoIP calls, and scan their tickets to check flight times. They found the kiosk had Internet connectivity, exposed USB ports, poor keyboard input sanitization, no installed antivirus software, and administrator privileges.

The researchers created custom malware and infected the kiosk using a simple web attack. Airlines use the Bar Coded Boarding Pass (BCBP) on tickets, which contain passenger information; BCBP specifications can be found using a simple Google search. The scanned BCBP data—either printed ticket or QR code on mobile phones—is decoded in the kiosk’s RAM. Knowing the BCBP format allowed the researchers to scrape the data from the kiosk’s RAM using the same techniques PoS RAM Scrapers use to steal payment card data. Their experiments demonstrate an attacker could easily infect the kiosks with payment card data stealing PoS malware.

Trains

Security firm IntelCrawler recently blogged about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities. IntelCrawler displayed a picture of a compromised ARST ticket-vending kiosk in Sardinia, Italy. The attackers gained access into the ticket-vending kiosk using Virtual Network Computing (VNC). Customers purchase bus and train tickets from these ticket-vending kiosks, making them lucrative targets for harvesting payment card data. One of the recently discovered PoS RAM scraper families, NewPosThings, attempts to harvest VNC passwords from compromised systems. Other PoS RAM scrapers like BrutPOS and Backoff use Remote Desktop Protocol (RDP) to access the compromised systems.

Automobiles

News came out last week on Friday that a professional parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities in the US. A third-party vendor maintains the parking facility’s payment card systems. The attacker used the third-party vendor’s Remote Access Tool (RA) to gain access to the payment processing systems. The attacker then installed malware that harvested the payment card data collected at the parking facilities. The third-party vendor was not using two-factor authentication for remote access, which made it easier for the attacker to gain entry and exploit the systems. The company’s parking facilities were infected in Chicago, Cleveland, Evanston, Philadelphia, and Seattle—basically, a coast-to-coast infection.

New Targets

From these three cases, we can make the following observations:

  • The cybercriminals are incorporating remote administration functionalities in the PoS malware. This is because the RAT + RDP/VNC functionality allows them entry into payment/e-services kiosks.
  • Any Internet-connected device that processes payment card data should be viewed as a target, regardless of its location. Users should never assume that e-service kiosks in airports, train stations, or even parking lots have the same or right level of security as in other kiosks.
  • In a connected world, security policies need to transcend borders. The responsibility of security rests on several key players: the device manufacturer, the service providers/vendors, and even the banks and credit card brands–all to protect consumers.

Additional information and appropriate solutions for PoS malware can be found in our paper, “PoS RAM Scraper Malware: Past, Present, and Future.”

Update as of December 17, 2014, 12:08 PM PST

Reports say that a data breach recently hit another parking service or some component of its online card processing system. The Atlanta-based offsite airport parking service, Park ‘N Fly, allows customers to reserve parking spaces slots via an online reservation system. According to Park ‘N Fly’s statement: “While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.”

Park ’N Fly provides parking related services all over the United States and owns, leases, and manages 16 off-airport parking properties in 14 markets, in addition to operating a network for pre-booked parking for 85 affiliates across the US.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: MalwarePOSPOS malwarePoS RAM scraper

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

Popular Posts

  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Banking Trojan DRIDEX Uses Macros for Infection

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.