Malware targeting point-of-sale (POS) systems has been a major trend of the last six months or so, with a flock of interrelated malware families being sold, shared, exchanged, tweaked and improved by the various denizens of the cyber underworld.
With easy pickings to be had from under-protected small operations, this pattern is only going to grow until people start fighting back with better system security, and ideally better payment card systems.
How point-of-sale malware works
A few weeks ago I looked at a report highlighting the high levels of data breaches in the retail and food and drink sectors, areas not famed for handling large bank accounts or valuable industrial secrets.
For some time before that, we’ve seen a number of reports on malware strains targeting POS systems. Both here on this blog and elsewhere, I’ve read reports analysing a slew of attacks, all aiming to harvest data from POS systems. The main aim is to pick up small batches of card numbers from mom-and-pop operations where the least attention is payed to best security practices.
These are in a way the opposite of the high-profile, high-sophistication targeted attacks which make most of the headlines these days. Big-name brands are rarely involved, and no huge sums of money are being stolen from any single victim.
Instead, large numbers of smaller targets are being taken for small amounts of cash, in the end making for big windfalls for the bad guys with much less risk of aggressive countermeasures.
These malware families are being diligently worked on to improve and expand their functionality, and as most seem to be available for sale to anyone willing to buy them online, their implementation grows more diverse by the day.
The functionality is used as a standalone data exfiltration technique in more focused attacks, or rolled into more general-purpose crime kits, which can probe for any likely POS data just as they would for anything else of potential value.
In the last week or two, there have been some detailed analyses of some of the major strains, including a multipart blog series from Trustwave’s SpiderLabs, whose annual report inspired my first look at this topic.
More recently, we’ve seen a hugely in-depth study from Team Cymru, a specialized Internet security research firm dedicated to making the Internet more secure. Their report covers several of the major POS-targeting families, particularly one they dub ‘Alina’, and includes some basic recommendations for businesses on how to mitigate such attacks.
Both these studies highlight the complex web of interrelationships between several seemingly different malware strains, the similarities being in the structure of their command and control systems.
This implies some degree of organisation and pooling of ideas and resources. All of this effort is aimed purely at harvesting card info, and converting that info into cash.
What payment systems are affected?
To clear up some misunderstandings from recent pieces on this topic, these problems don’t only affect operations in the US, where the EMV or ‘Chip and Pin’ system hasn’t yet been implemented. There have been reports of data breaches all over the world, but they do share one common trait, they all impact locations where the chip-and-pin system is not widely used.
Outside of the US, this is mainly international hotels where large numbers of foreign guests are processed. In the US, it’s just about anywhere.
The chip-and-pin system itself is not entirely perfect, as we’ve seen some reports of that being bypassed too, but they seem to be almost exclusively physical breaches, where pin-reading machines have been doctored, or replaced with Trojan lookalikes.
That kind of attack is pretty hard to defeat of course – you can be as careful as you like with your anti-virus updates, your software patches and your firewall rules, but if the bad guys can come into your house and replace your PC with an identical-looking one under their control, it’s basically game over.
Mitigation: what can be done to stop point-of-sale attacks?
Chip-and-pin at least provides some protection against the indiscriminate data-harvesting conducted by the likes of ‘Alina’, ‘Vskimmer’ and ‘Dexter’. Once it is properly and universally adopted, with no-one anywhere carrying old-style, easily copied ‘Track 2’ style cards, this whole cabal of scammers should be out of business.
In the meantime, there are some things business owners can do to protect themselves, starting with the basics of ensuring all software running on their customer-facing networks is kept up-to-date with the latest patches. They should also ensure that any services allowing remote access have secure passwords – many of these attacks have simply used default passwords in common tools to penetrate networks.
In happier news, a convicted Romanian carder has invented a device which protects ATMs from card-skimming add-ons. Joy.