The continuing threat of POS malware

As attacks increase and hackers realize the profit that stolen data from POS systems could bring, more advanced malware is created to support security incidents.

Point-of-sale systems have seen numerous changes in recent years. From the shift to chip-card readers and the inclusion of new technology for contactless mobile payments, POS systems aren't just for swiping cards anymore.

At the same time, two important factors haven't changed – the criticality of having a POS as part of a retailer's transaction process, and the attractive target that these systems offer for malicious hackers. Because POS hardware and software provide an access point through which cybercriminals can more directly view and steal customers' payment information, these systems have always been a high-value hacking objective. And recently, the threats against POS technology have only increased in severity and sophistication.

POS systems provide an easy target

In the past, POS systems were generally considered to be low-hanging fruit for cybercriminals. As noted in this 2014 Trend Micro article, these platforms require a network connection to validate payments and complete transactions. This connection can come in the form of a cellular-data or internal network, and typically run on Windows or UNIX operating systems. While this configuration offered benefits for users like simplified use as well as streamlined maintenance and updating, it also wasn't difficult for hackers to create malware specifically designed to pinpoint and infect a store's POS.

Physical attacks hinge on hardware

But POS attacks didn't start out this way. In the beginning, criminals used physical hardware elements known as skimmers to steal information stored on payment cards' magnetic strips. These skimmers sat directly on the POS terminal, and thus had to be installed and removed by hackers to fulfill their malicious function.

What's more, initial skimmers required the criminal to remain somewhat near the device to gather its payment card data payload. This, combined with the physical hardware component, created considerable risk for cybercriminals. At the same time, this often wasn't too large of a deterrent – card skimmers are still being used and discovered today. Many of the newer models have remote receivers that can send stolen data directly to the criminal spurring the attack, reducing the level of risk and increasing the potential payout.

With stolen data in hand, the hacker can sell the information on underground marketplaces, look to complete individual profiles for identity theft or leverage the details for a whole host of other fraudulent and malicious purposes.


POS-specific malware: RAM scrapers 

By now, hardly a week goes by without news of a newly discovered data breach in the retail sector, and many of these episodes take place through the use of POS malware. As attacks increase and hackers realize the profit that stolen data from POS systems could bring, cybercriminals are creating more advanced malware to support their nefarious exploits.

Many hackers have sought out new ways to infect POS systems that don't require the use of a physical skimmer. Enter RAM-scraping malware, which is still a popular method among cybercriminals today. RAM scrapers are named as such because these infections have the ability to scan specific portions of POS terminals' memory systems, pinpointing customer card data ripe for theft. From here, the RAM scraper is able to exfiltrate the data back to the botmaster running the attack.

"Even data encryption isn't completely effective against a RAM scraper infection."

As Security Intelligence explained, even data encryption required for retail industry compliance isn't completely effective against a RAM scraper infection. Although this type of protection measure is meant to scramble sensitive information like payment card details, there is still a very short window of time during a customer transaction when data is transmitted in plain text. As the POS pauses for payment authorization to finish the transaction, the RAM scraper seeks out and saves the unencrypted payment card information.

Increasing sophistication: Hackers cover their tracks

One of the more notable advancements in POS malware came after the large-scale attacks on Target and Home Depot. These incidents both came at the hands of the BlackPOS malware family, the initial version of which spurred the Target attack. BlackPOS version 2.0 was then created and utilized to infect and steal data from Home Depot, grabbing headlines across the globe due to the severity of data theft.

BlackPOS 2.0 included an added element that helped incite the success of the attack: a cloaking process that made the infection appear to be an antivirus product. After the original BlackPOS infection was created, its source code was leaked and hackers were able to enhance it. Version 2.0 enabled cybercriminals to more easily cover their tracks – after all, any suspicious activity would appear to be coming from antivirus software, a technique used to quell user concerns about attacks.

POS malware of the future: MajikPOS

Use of POS-infection malware hasn't slowed in recent years. In fact, Trend Micro researchers recently discovered a new POS-specific malware being used in attacks against Canadian and American businesses in 2017. The sample, dubbed MajikPOS, takes a modular approach to attack, making it a new and unique malicious program in the evolution of POS malware.

This sample leverages a similarly named command and control panel that directs the malware's processes and exfiltration of stolen data. Once inside a target system, MajikPOS uses RAM scraping and a remote access Trojan (RAT) to access sensitive information.  

Researchers also discovered online stores – known as "Magic Dump" shops – created specifically to house and sell the stolen details obtained by this malware sample. Here, hackers can put their maliciously obtained data up for sale, and other cybercriminals are able to purchase the 23,400 credit card tracks that hackers have stolen through mid-March 2017. Each individual track is priced from $9 to $39, depending upon the type of card details associated with it. Bulk packages are also available from $250 for 25 tracks, $400 for 50 and $700 for 100 payment card tracks.

Security researchers found that these shops have been popping up since February 2017 and are continually updated with newly stolen data taken from businesses in the U.S. and Canada.

Infections like MajikPOS are severe and are unfortunately becoming more common. Retailers depending on their POS solutions should safeguard these systems with endpoint application control or whitelisting, which help ensure that only authorized users can access the sensitive data stored and used by the point-of-sale systems. To find out more, contact Trend Micro today.

Leave a Reply