POS threats – time to beef up the protection

Introduction

In many cases the initiation process could have been avoided if only POS terminal developers and shop owners only had a little bit more of a focus on web security.

The internet is an essential part of our lives, at least if you look at the majority of cultures and society’s in the western world. You may argue that it is not an essential or necessary part of a POS terminal, but convenience and productivity is ruling rather than common sense. I am though not saying that it is common sense to exclude internet from POS terminals, on the contrary, I believe it to be or become an essential and perhaps necessary part of a POS terminal in the near future. The reason for this is the increase of cloud based services being used by small and medium sized shops and stores combined with the need of searching of information. The shop owners are working with tight margins for profitability and can’t afford several computers or terminals to handle different things. In the shop they need a computerised, internet connected POS terminal capable of providing several ways of charging customers credit cards or mobile wallets.

This being the landscape to work in, POS terminal producers should start to consider implementing support in their terminals for keeping malicious software and phishing attacks out. CronLab provide a service for web surfing security with great flexibility in its administrative portal. Other providers can offer anti spam software and more.

Actual breaches and different malicious softwares

In June 2015 restaurant and grocery store chain Eataly reported a POS breach [1]. The breach might have exposed credit card details gathered during the period of Jan to April. Another breach reported in the US during the same period involved a US restaurant chain named The Washington Free Beacon, which got a RAM memory scraping malicious software installed, named ”Punkey”. It can be used to compromise any Windows-based POS network. It is said to be hard to crack due to its capability of encrypting compromised data[1].

Trend Micro has discovered a malicious software named MalumPOS, which is designed to target installations of Oracle Micros, a plattform used in the hospitality, food and beverage industries. It is claimed that there are around 330,000 installations of Oracle Micros[2]. The malware is selectively searching for credit card details linked to VISA, MasterCard, American Express, Diner’s Club and Discover. POS attacks aimed at restaurants and smaller merchants are giving the banks headaches[1].

Every card transaction swipe generates a card holder name and account number, possible to use to clone a card for later use. MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list [2].

The malicious software also does a good job in trying to disguise itself to avoid detection and uninstall of the malicious code. MalumPoS disguise itself as an NVIDIA Display Driver in a very sophisticated way[2].

But this is nothing new. Last year 56 million credit card details were stolen from Home Depot and 40 million details were stolen in 2013 from Target[3].

The security company Fire Eye recently discovered a spam campaign where the emails were disguised as job applications. The attached Word documents were fake CV’s with macro code in it, which downloaded another programme called NitlovePOS[4].

And the software gets more and more sophisticated. Version 3 of NewPosThings is capable of disabling security warnings ad use custom packers with anti-debugging methods[6]. Similar to NewPosThings are two other malicious softwares named Punkey and PosEidon[5].

Punkey is designed to inject itself into Windows explorer.exe process and there create registry start-up entries to ensure persistence[5]. It also drops a key logger program, which collects all keys pressed on the keyboard. It also encrypts the collected data with AES and sends the data to a ”Command & Control” server.

PosEidon, discovered by Cisco researchers, is a Trojan and is built up by three components. The loader, the keylogger and the memory scraper. The scraper scans the RAM memory for unencrypted text strings that is detected as credit card details. The keylogger is designed to steal credentials for the LogMeIn remote access application. It deletes encrypted LogMeIn passwords and profiles that are stored in the system registry in order to force users to type them again, at which point it will capture them.

Conclusion

The breaches are not many, but the effects have been substantial. If the attackers increase their efforts to create even more complex malicious software and all involved in developments and procurement of POS terminals continue to ignore the problem, then we are in for some trouble. With emerging new mobile wallets, mobile payment standards and more, the  guess is that the attackers will turn even more interested in this “opportunity”.

So it is time for all involved in development, deployment and procurement of POS terminals to take this seriously. It might not be that difficult to make countermeasures against the attackers. With a great web filter like CronLab’s and a good antivirus software you get far in protecting your customers credit card details.

References:

  1. ”New Alerts About POS Malware Risks”, Tracy Kitten, published 2015-06-09, BankInfo Security web site, http://www.bankinfosecurity.com/new-alerts-about-pos-malware-risks-a-8296?rf=2015-06-10-eb&mkt_tok=3RkMMJWWfF9wsRokuqrPZKXonjHpfsX67O0uXaK0lMI%2F0ER3fOvrPUfGjI4DTsNqI%2BSLDwEYGJlv6SgFSrXEMbp407gPWBY%3D, retrieved 2015-06-25
  2. ”Trend Micro Discovers MalumPoS; Targets Hotels and other US Industries”, Jay Yaneza, published 2015-06-05, TrendMicro blog web site, http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29, retrieved 2015-06-25
  3. ”Så plundrar cyberkriminella butiksterminaler på betaldata”, Martin Wahlström, published 2015-05-28, Computer Sweden news web site (in Swedish), http://computersweden.idg.se/2.2683/1.628630/sa-plundrar-cyberkriminella-butiksterminaler-pa-betaldata?utm_source=dmdelivery&utm_medium=email&utm_content=Så%20plundrar%20cyberkriminella%20b&utm_campaign=Säkerhet24%20Nyhetsbrev%202015-06, retrieved 2015-06-25
  4. ”POS Malware Nitlove Seen Spreading Through Spam Campaign”, Chris Brooks, Threat Post web site, published 2015-05-26, https://threatpost.com/pos-malware-nitlove-seen-spreading-through-spam-campaign/113009, retrieved 2015-06-25
  5. ”New POS Malware Emerges – Punkey”, Eric Merrit, published 2015-04-15, Trustwave website, https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges—Punkey/, retrieved 2015-06-25
  6. ”NewPosThings Has New PoS Things”, Jay Yaneza, published 2015-04-01, http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/, retrieved 2015-06-25
  7. ”NewPosThings malware evolves, malicious traffic traced to airports”, Danielle Walker, SC Magazine, published 2015-04-03, http://www.scmagazine.com/suspicious-traffic-came-from-two-us-airports/article/407331/, retrieved 2015-06-25
  8. ”New malware program Punkey targets point-of-sale systems”. Lucian Constantin, PC World, published 2015-04-16, http://www.pcworld.com/article/2910912/new-malware-program-punkey-targets-pointofsale-systems.html, retrieved 2015-06-25
  9. ”New malware program PoSeidon targets point-of-sale systems”, Lucian Constantin, ComputerWorld, published 2015-03-23, http://www.computerworld.com/article/2900310/new-malware-program-poseidon-targets-pointofsale-systems.html, retrieved 2015-06-25

Share this post!