Cyber Criminals “TARGET” Point of Sale Devices

In the wake of breaches at retailers from Target through Neiman Marcus, cumulating in CNET’s publication on January 12 that at least three more retailers have been breached, we can see a renewed focus on cybercrime in the retail world, always a prime target for credit card theft. Moreover, the carding and underground crowds have become so skilled in the theft and sale of credit cards that days after the attack on Target, the stolen cards were already on sale.

Powering this trend is Point of Sale (POS) malware. In recent years, we have identified increased underground activity in the sale and development of POS malware, with Dexter and Project Hook being the most notable. Howbeit, wherever there is a need, there is a market, so the world is not limited to these specific malwares. A case in point was versions of vSkimmer, POS.CardStealer and Dump Memory Grabber that our analysts came across last month. These are all dedicated Windows-based POS malwares developed in early 2013, but prevalent to this day.

Spy.POSCardStealer

A known POS-Trojan detected by anti-viruses since January 2013. The malware builder was uploaded to the closed Russian forum exploit in December 2013. This tool was analyzed in the Xylibox.com blog in detail, revealing that it searches for Track 2 data from the magnetic strip of the credit card, which is stored in the POS device, and then sends it to the C&C.

vSkimmer POS Trojan

A POS-Trojan that was sold on the Russian underground during 2012 and early in 2013. In March 2013, the builder was uploaded to exploit.in for free download but after a short time it was deleted and uploaded again in October 2013. The Botnet based on this tool was discovered in February 2013 and was widely considered to be Dexter’s successor, with additional functions. The malware detects the card readers, grabs all the information from the Windows machines attached to them, and sends the data to a control server.

DUMP MEMORY GRABBER (Black POS)

A POS-Trojan sold in the Russian underground since February 2013 (a video of the malware in action is available upon request). The malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. The price ranges from $1,800-$2,300 (as of April 2013).

Original post uploaded by the malware seller
Original post uploaded by the malware seller

Conclusion and Recommendations

It seems that the Target breach is poised to be the TJX of the POS world. If TJX brought about a complete rethinking of how credit cards should be processed through the enterprise back-end and in turn gave us PCI-DSS, I think that it is clear today that progress in PA-DSS and the work performed by the POS machine providers is still insufficient to protect customers. It is very likely that we will start to see technologies that are today directed against APT detection in enterprise computers being shifted to POS networks, and perhaps even developing companies and retailers taking a step back from Windows-based machines toward more dedicated, hardened operating systems. Retailers (both large and small) that wish to take action against the threat of card theft should:

  1. Contact their POS supplier and make sure it complies with PA-DSS.
  2. Ensure the POS system is fully up-to-date (and with the death of Windows XP – installed on Windows 7 and up).
  3. Ensure there are security systems (both whitelist- and blacklist-based) installed on the POS system.
  4. Install network-based security systems on the POS network connection.
  5. Be aware of the threat and how to locate and mitigate it.

“Mega Breach” – So What?

We’ve all heard that the software company Adobe (maker of Flash, Acrobat and many more) was hacked and details of 150+ million users were stolen and then circulated on Russian Darknet forums.

yourdata

So you ask yourself – so what?  How does this affect me and my organization? Do I even have an Adobe account?

Well, thechances are that your organization is using Adobe products and many have either opened an account when downloading a sample product or had one created for them by their procurement division when purchasing an Adobe license for them to use (usually without their knowledge).

First of all, let’s review what was actually stolen – a list containing (per each user) a serial number (not interesting), the user’s email (very interesting), an encrypted password (which is easy to break if you know how) and the retrieval question.

So the main risk here appears to be that a hacker will break into the account (by guessing or cracking the password), steal the credit card details and use them. Right?

Well, this is certainly possible (and happens more often than most of us think), but the real risk is email address exposure.

A large percentage of all intrusion into large organizations occur through the use of “spear-phishing”, meaning a targeted email sent to a person within the organization.  

The employee receives a credible-looking email, appearing to be sent from a business partner, conference organizer etc.

The email contains an attachment (most likely a PDF file, Excel sheet or Word doc) or a link.

Opening/clicking the link runs a malicious code that secretly installs itself, and from that moment forth, the network is open to the intruder.

Creating a spear-phishing email is easy. What was difficult until now was obtaining corporate email addresses (previously, hackers had to use social engineering to obtain these). No more! Literally millions of these addresses are now visible to all, making employees whose details have been leaked easy targets. So what needs to be done (because the breach and subsequent exposure can’t be undone)? Here are our actionable recommendations:

  • Cancel the credit card which was used to make the purchase on the site
  • Change the password of users of the Adobe site
  • Conduct a full scan of the computers for malicious files
  • Brief all employees that have leaked Adobe accounts/emails about this breach and the potential spear-phishing attempts that can follow it, and avoid opening any attachments from suspicious and unknown email addresses.

As the (even more recent) Target breach proves, we have not seen the last of these “mega information breaches”, so whenever such an incident is made public, we all need to ask ourselves – does this affect me? And, if so – what do I need to do? Remember, cyber security is not “the IT department’s problem”. We are all an important part of the solution.