Cyber Criminals “TARGET” Point of Sale Devices

In the wake of breaches at retailers from Target through Neiman Marcus, cumulating in CNET’s publication on January 12 that at least three more retailers have been breached, we can see a renewed focus on cybercrime in the retail world, always a prime target for credit card theft. Moreover, the carding and underground crowds have become so skilled in the theft and sale of credit cards that days after the attack on Target, the stolen cards were already on sale.

Powering this trend is Point of Sale (POS) malware. In recent years, we have identified increased underground activity in the sale and development of POS malware, with Dexter and Project Hook being the most notable. Howbeit, wherever there is a need, there is a market, so the world is not limited to these specific malwares. A case in point was versions of vSkimmer, POS.CardStealer and Dump Memory Grabber that our analysts came across last month. These are all dedicated Windows-based POS malwares developed in early 2013, but prevalent to this day.

Spy.POSCardStealer

A known POS-Trojan detected by anti-viruses since January 2013. The malware builder was uploaded to the closed Russian forum exploit in December 2013. This tool was analyzed in the Xylibox.com blog in detail, revealing that it searches for Track 2 data from the magnetic strip of the credit card, which is stored in the POS device, and then sends it to the C&C.

vSkimmer POS Trojan

A POS-Trojan that was sold on the Russian underground during 2012 and early in 2013. In March 2013, the builder was uploaded to exploit.in for free download but after a short time it was deleted and uploaded again in October 2013. The Botnet based on this tool was discovered in February 2013 and was widely considered to be Dexter’s successor, with additional functions. The malware detects the card readers, grabs all the information from the Windows machines attached to them, and sends the data to a control server.

DUMP MEMORY GRABBER (Black POS)

A POS-Trojan sold in the Russian underground since February 2013 (a video of the malware in action is available upon request). The malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. The price ranges from $1,800-$2,300 (as of April 2013).

Original post uploaded by the malware seller
Original post uploaded by the malware seller

Conclusion and Recommendations

It seems that the Target breach is poised to be the TJX of the POS world. If TJX brought about a complete rethinking of how credit cards should be processed through the enterprise back-end and in turn gave us PCI-DSS, I think that it is clear today that progress in PA-DSS and the work performed by the POS machine providers is still insufficient to protect customers. It is very likely that we will start to see technologies that are today directed against APT detection in enterprise computers being shifted to POS networks, and perhaps even developing companies and retailers taking a step back from Windows-based machines toward more dedicated, hardened operating systems. Retailers (both large and small) that wish to take action against the threat of card theft should:

  1. Contact their POS supplier and make sure it complies with PA-DSS.
  2. Ensure the POS system is fully up-to-date (and with the death of Windows XP – installed on Windows 7 and up).
  3. Ensure there are security systems (both whitelist- and blacklist-based) installed on the POS system.
  4. Install network-based security systems on the POS network connection.
  5. Be aware of the threat and how to locate and mitigate it.

One thought on “Cyber Criminals “TARGET” Point of Sale Devices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s