Don’t think for an instant that once POS malware is defeated the first time, it’s gone for good. These attacks have a habit of resurrecting themselves, with a lot of help from criminal hackers.
“The U.S. Secret Service and Trustwave researchers identified, analyzed, and named the Backoff POS malware, which has affected at least 1K businesses across the country,” says Karl Sigler, Threat Intelligence Manager, Trustwave. But while the security world is buzzing about Backoff POS and the BlackPOS malware that infiltrated Target last year, other POS malware is afoot, evolving, and potentially surging and resurging at any time.
“With each POS malware success—in terms of media coverage and organizational disruption—it’s also likely that attackers are contemplating even more aggressive methods of accessing valuable data,” says Gregg Aamoth, Co-Founder, POPcodes and former vice president and privacy officer, Macy’s, Inc.
With that, CSO opens a sort of “Pandora’s Box” of POS malware strains including Dexter, Alina, vSkimmer, TriForce, and OG, examining their ilk, ebb, and flow, and outlining the solution to POS malware attacks.
Old POS malware could be new again
POS malware strains such as Dexter, Alina, and vSkimmer have been the focus of security experts since prior Backoff POS, says Aamoth. Dexter infiltrated systems with stealth, stole process lists, and sorted through memory dumps to acquire payment card data. It further leveraged a command and control server. “Dexter was also the first POS malware family to add a keylogger to its toolset,” says Aamoth.
Once security professionals logged Dexter’s behaviors and revealed its server domains, it became less effective so long as potential victims took note, plugged holes in security, and updated security technologies that use signatures to recognize known malware behaviors. But Dexter still threatens stores that do nothing and it will almost certainly evolve, successfully applying new behaviors and domains to future attacks.
Alina had a number of capabilities, taking an approach similar to Dexter’s. But Alina could update itself while on the infected system, making it more nimble. Though the industry has learned its behaviors, the same rules apply: it is a threat in its known form to those who do nothing, and it can evolve to envelope new behaviors, wreaking havoc again.
The VSkimmer POS malware or virtual skimmer updates firewall rules and makes a number of computer system changes to hide and accommodate itself. It can copy data to a USB drive when the Internet is not available for data transfers. As with other POS malware, if the enterprise doesn’t take the necessary mitigation steps, it risks suffering from the current version of this attack. And the enterprise that doesn’t do enough to protect itself could remain at risk to future forms of vSkimmer.
As for these warnings and premonitions, the same could be said for other POS malware including the new Soraya strain, the TOR-based Chewbacca, and Citadel. About any group with the right coding skills could grab one of these, insinuate adds and changes, and launch new attacks using new server addresses.
POS Malware Going Out of Style
TriForce and OG are two POS malware strains that are growing less effective, each with good reason. “We still see TriForce. It was the third most prevalent POS malware in the past year,” says Sigler. But TriForce has its weaknesses, stemming largely from a lack of funding. Funding is an issue with lesser POS malware.
Third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn’t demonstrate an up-front benefit.
Karl Sigler, Threat Intelligence Manager, Trustwave
While some criminal groups can afford to outsource their code in order to get quality programmers, others cannot. The hackers who wrote TriForce POS coded it in such a way that it eats up more system resources than it should. The lower quality work demonstrates that these hackers didn’t have the funding to hire skilled coders. Once the industry became familiar with TriForce and its behaviors, its odds of success diminished.
OG POS is dated. “The OG POS malware family is four years old and has fallen out of fashion,” says Sigler. Because they also lacked funding, the criminals who created OG POS built it using the tools that they could most easily access. Though OG suited their needs at the time, it never used encryption to conceal payment card data while they exfiltrated it. DLP programs can recognize the data leaving the enterprise. This weakness contributed to OG POS’ ultimate downfall.
How POS malware enters
According to Sigler, criminal hackers are getting POS malware in by using brute force tools such as Medusa or THC-Hydra in automated attacks against the poor login credentials of the third-party vendors that support POS systems remotely. “A lot of businesses buy or rent POS systems and count on those vendors for support,” says Sigler. The third-party vendors connect remote desktop software such as LogMeIn, Chrome Remote Desktop, and Apple Remote Desktop to the POS systems they support. These POS system vendors often use easily guessed usernames and passwords with this software, which are the kinds of credentials that brute force tools look for.
To find the remote desktop software and its login pages, hackers scan networks using free, standard OTS tools that do port scanning, looking for live IP addresses where the ports for remote desktop software are open. “They even use botnets to do the scanning for them,” says Sigler.
Why POS malware is effective, what to do about it
“These third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn’t demonstrate an up-front benefit. They can’t say they saved X amount of money by using security. It takes a few successful attacks for them to learn to apply basic security,” says Sigler.
But any business, including third-party vendors that serve stores’ POS systems can take measures to block POS malware attacks. First, they should assign strong passwords to remote access software and to PCs that house this software. By using longer, stronger passwords that are not common and that no one in the organization has previously used, companies can circumvent the password dictionaries inside brute force attack software. Employees should not document, share, or disclose any passwords. It is a good idea for these vendors to update passwords regularly. “Two-factor authentication methods increase the security of passwords that attackers can compromise,” says Sigler.
Third-party vendors should use only select computers set aside for technical support to connect to POS systems with remote access software. Only authorized personnel should be able to access these computers. No one should use these computers for web browsing or any purpose other than as the company intends. A good firewall should help with that.
To detect POS malware, POS system vendors should monitor outbound network traffic and any traffic intended for systems outside their control, according to Sigler.