trend report point of sale (pos) malware › wp-content › uploads › 2015 › 06 › ...reported,...

Threat Detection

Telefónica

Trend Report

Point Of Sale (POS) Malware

19/05/2015

Threat Detection | Trend Report | 19/05/2015

Telefónica 2 of 19

Main Findings

Point-of-sale (POS) systems are one of the most critical components in any retail industry,

remaining the main entry point of consumer data into merchants’ information environment.

POS malware targets the weak link in PCI-DSS, utilising ‘RAM Scraping’ techniques to parse

memory processes on POS terminals before card data is encrypted. A mature cybercrime

model responsible for the majority of confirmed data breaches, its intrusion methods such as

phishing and social engineering are often targeted but nothing new. Exfiltration of data

however can be complex and is often based on detailed network knowledge.

Compiled breach statistics are by definition a trailing indicator of criminal activity, and

focusing too much on headline grabbing mega-breaches belies that from a frequency

perspective, small and medium sized enterprises are most affected. However a lack of

awareness of a breach, and the limits on subsequent disclosure presents a significant problem

for all organisations. Average time between breach and detection appears to be narrowing, but

the number of detections in Q1 2015 outstripping the previous two years is also a narrative of

soaring propagation rates.

Industries with very high card transaction volumes, such as retail, accommodation and

entertainment are most at risk from the targeted approach often used during a POS malware

campaign. The size of the U.S economy, combined with the late adoption of EMV ‘Chip and Pin’

technology makes this a target rich environment for POS malware, and will almost certainly

remain the most targeted during 2015. Technical analysis reveals heavy development

occurring across a few key codebase variants, with some strains adopting nation-state level

complexity and others stripping back and removing unnecessary overhead. Operating in a POS

data environment set to remain largely Windows XP based for several years, it offers a readily

available, proven codebase currently unthreatened by obsolescence.

Drivers behind innovation in POS systems are improving the consumer experience, harnessing

cost and maintenance benefits of cloud hosted services, and improving efficiency through

integration with other business applications. In many cases security and segregation of POS

systems are simply overlooked. The October deadline of U.S EMV implementation, possibly to

be precluded by a volumetric surge in attacks, will likely only lessen the risk for large

organisations, and even then, data remains that enables fraudulent e-commerce transactions.

While the manner of fraud perpetrated will adapt to the technical environment, in the criminal

marketplace, any personally identifiable information is a valuable commodity; both in itself

and also as part of subsequent data theft campaign to build a more comprehensive identity

portfolio. While it is possible large companies may be able to limit the risk of protracted ‘mega

breaches’, the upwards trajectory of POS malware in 2015 shows no signs of slowing.


Telefónica 3 of 19

Contents

MAIN FINDINGS 2

CONTENTS 3

INTRODUCTION 4

THREAT LANDSCAPE 5

KEY FEATURES & ANATOMY OF AN ATTACK 8

EVOLUTION OF POS MALWARE 11

FUTURE 12

MITIGATION MEASURES 15

ANNEX A – POS MALWARE VARIANTS 17


Telefónica 4 of 19

Introduction

Inception of POS malware

Many early data breaches employed network-sniffing malware capable of capturing

unencrypted card data while in transit. Key components of the subsequent reaction to these

early breaches were the establishment of the Payment Card Industry Data Security Standard

(PCI-DSS), and limited adoption of EMV (‘Chip and Pin’) technology; both intended to protect

cardholder data by helping businesses process payments securely and reduce card fraud.

These measures led attackers to target the point where the card data entered the system, the

point of sale (POS) terminal. A POS device refers to an in store system where customers

conduct transactions with merchants, often swiping a payment card through a reader,

commonly part of a larger sales system. A far from exhaustive timeline that illustrates some

of the headline making data breaches that were caused by POS malware is shown in Figure 1.

Figure 1. Illustration of POS Malware breach headlines 2002 - 2015.

Security controls now commonly result in end-to-end encryption of card data when it is

transmitted, received or stored, although when the data is first read from the card, it can be

found within the RAM of the POS device in an unencrypted form. Unlike a keylogger, this

provides all the card information and, despite a warning made by Visa in 2008, became an

attractive vector for cyber criminals who began quietly honing techniques and paving the way

for continued mega-breaches particularly in the US.


Telefónica 5 of 19

Monitorizing credit card information

Basic credit card data comes in several forms, known as Track 1 and Track 2. Track 1 data is

information associated with the actual account, includes the cardholder’s name and the

account number, with the credit card number and expiration date located on Track 2. There

are a number of different methods that criminals can employ to commit fraud with this level

of stolen data, such as encoding the data onto fake cards or conducting transactions that do

not require the physical card, such as during online transactions. Factors such as the type of

card or if supplementary personal information is supplied ratchet up the value of stolen credit

card data to fraudsters. The increasingly easy monitorization of stolen credit card data in

recent years via online marketplaces such as Rescator.cm, offering a user-friendly interface

and even refunds on card numbers that do not work, has cemented this as a lucrative criminal

enterprise.

Figure 2. Rescator.cm Website.Threat landscape

POS malware currently accounts for a very low percentage of overall security incidents

reported, Verizon’s 2015 breach report placed this figure at a lowly 0.7%. However when

focusing on confirmed data breaches, POS intrusion was the most common cause, responsible

for 28.5% of all breaches reported by the reports respondents. Previous analysis has

discovered that that the vast majority of data breaches are successful within seconds to

minutes, yet 85% of intrusions targeting POS systems take weeks to discover, and 99% of

POS breaches are discovered by an external source, usually law enforcement. In the interest

of non-disclosure the samples discovered are rarely widely circulated, hindering security

researchers and, subsequently, the ability for organisations to defend themselves.


Telefónica 6 of 19

Figure 3. Frequency of incident classification patterns with confirmed data breaches.

Although payment card data might be the most obvious target for cyber criminals, and

accounted for the greatest year-on-year increase of stolen information types during 2013-

2014, the more comprehensive a stolen identity profile is, the more value it has on

underground markets. ‘Fullz’ profiles, bolstered by email addresses, government ID card data

and date of birth for example can facilitate more complex fraud.

Figure 4. Types of information exposed.

While it has often been the large retailers who have garnered the most media attention, POS

intrusions account for a rapidly growing proportion of the overall incidents across the


Telefónica 7 of 19

accommodation, entertainment and healthcare industries. Nor is it just a concern for large

enterprise, POS malware targeting small retailers has been a criminal cash cow going back as

far as 2002. The low risk, opportunistic attacks offering a steady stream of card details, albeit

at a low volume are often eclipsed by the large breaches which often require a more advanced

multi-phased approach.

As many businesses outsource their POS solutions, by compromising a POS vendor, attackers

are often able to take advantage of poorly secured remote administration tools and breach a

multitude of different businesses. The pattern of such attacks, often affecting small

businesses, which lack the layers of security controls emplaced at larger enterprises can be

difficult to identify, even for complex fraud analytics due to the indirect relationships with the

issuing banks. So while a single large data breach may net a huge volume of card details, only

a fraction of these are actually able to be sold, so a smaller overall but distributed breach could

actually be more efficient. Notably it is rarely the POS vendors’ name that makes the news,

and responsibility follows the data, with the blame remaining firmly with the organisation that

collected the data. Adapting to changes in the marketplace, criminal attack methods are

becoming more varied, and although not as newsworthy, this poses as much of a risk to small

enterprises.

Figure 5. POS intrusions as an increasing percentage of overall data breaches per industry 2013-2014.

In terms of geographic spread of POS malware the U.S is the most targeted country, which

given the size and consumer habits of the economy may be unsurprising. The fact that EMV

technology has not been implemented in a marketplace where the use of credit cards is

commonplace also makes it an attractive target for international cyber criminals. Information

security industry surveys respondents are usually heavily drawn from U.S based companies,

and the fact that certain countries are more likely to disclose, or even be aware of data


Telefónica 8 of 19

breaches should be taken into account when comparing international spread. Despite this, and

also that some malware variants are focused against a specific region, the overall geographic

spread illustrated in Figure 6, which represents a snapshot of Q4 2014 can be viewed as a good

approximation of the trend.

Figure 6. Geographic spread of discovered ‘RAM scraping’ POS Malware Key features & anatomy of an attack.

The way POS malware operates can be viewed in three areas; general characteristics, data-

collection method, and data-exfiltration method.

General Characteristics

This describes functionality seen in malware regardless of purpose, such as code injection,

self-updating, socially engineered file names as camouflage, or in variants that have evolved

from other types of malware. The FighterPOS variant discovered in April 2015 retains botnet-

like capability for conducting both layer 4 and layer 7 DDoS attacks for example, flexibility that

is a valuable selling point in underground marketplaces.

Data-collection method

This incorporates the process from discovery of data from custom searching, and blacklisting

of processes, through direct collection through RAM scraping, and keylogging, and also the

way that the data is validated and encrypted prior to exfiltration.

Data-exfiltration method

During the evolution of RAM scraping POS malware, HTTP POST requests have historically

been the preferred method of exfiltration as they are not saved, cached, and do not have size


Telefónica 9 of 19

restrictions. However, recently discovered variants have been found to utilise a much wider

range of techniques.

These techniques can only be effective when POS malware has penetrated the cardholder

data environment (CDE) and, while PCI-DSS recommends this be segregated from other

internal and external networks, due to the impracticality of implementing this it is not

mandated. Small enterprises may even have a POS system that directly connects to the

internet. However, most retailers processing large volumes of card data will segment the POS

network from the external network appropriately, meaning an attack on a POS system will be

a multi-phase process traversing the corporate network or even the supply chain.

Infiltration

Methods of infection of POS malware are therefore the same available to any other threat

agent; social engineering, physical access, SQL injection, or phishing such as the email to a

POS vendor shown in Figure 7, assessed to be connected to the POSeidon malware variant.

Highly targeted emails with malicious attachments or embedded links are particularly

effective against smaller businesses without corporate security policies, and this also limits

potential of malware exposure to security researchers.

Figure 7. PoSeidon Logo & a phishing email campaign used to target POS vendors.

Lateral movement

Because the POS system needs to be accessible for updates, maintenance and have

connectivity to external servers and payment processors to function, data pathways must

exist within the internal network. Access can be gained to the CDE through escalating

privileges through a variety of methods, such as utilising Trojan keylogger functionality or

brute forcing passwords.


Telefónica 10 of 19

Persistence and obfuscation

Researchers examining POS malware compilation times have found indications that the

malware on many occasions has infiltrated the network for months before discovery. The

manner in which this is achieved varies from utilising small binaries, limited functionality and

hiding in plain sight, to harnessing modular design, encryption, and kill-switch functionality.

Information stealing

As network-sniffing is often now rendered obsolete by P2PE, all the variants analysed in this

report used ‘RAM scraping’ functionality, parsing memory processes for card data strings.

Nearly all of the variants also perform immediate validation on the data, usually with the Luhn

algorithm before preparing the data for exfiltration.

Figure 8. ‘Backoff’ Malware memory scraping code.

Exfiltration

Methods to extract the stolen data can also vary greatly between variants. Some simply use

a hardcoded path to a location in the internal network to store the data for later extraction,

with others utilise externally connecting protocols such as SMTP or DNS requests. While

LogPOS and Chewbacca variants have adapted techniques used by APT groups to use IPC

mailslots and anonymising networks respectively to exfiltrate cardholders’ data over HTTP.

An individual breakdown of the key malware variants can be found at Appendix A.



Malware infection via the network has become the most frequent attack vector, although it is

also possible at the device level. This can be perpetrated by anyone with physical access to

the device such as an employee, or also even before deployment during the supply chain, as

previously observed with smartphones for example.

Evolution of POS Malware

The wide availability and relatively cheap price of POS malware source code ensures that

newly discovered strains often bear close resemblance to a previous malware variant.

Particularly since the source code of BlackPOS was leaked, the last several years have seen a

notable increase in POS malware propagation. The constant stream of new malware families

discovered in the first quarter of 2015 has amplified this upward trajectory. As indicated in

Figure 9, when a new variant is released it can result in significant propagation peaks.

Figure 9. Evolution of POS malware variants and ‘Backoff’ POS Malware propagation patterns Q1 2015.



POS malware can be bought as an off-the-shelf exploit kit, easily modifiable and re-deployable

with little programming skill. Equally, skilled malware authors have tailored the functionality

to operate in specific network environments, utilising complex botnet like capabilities.

Conversely, some authors have reduced all unnecessary overhead, keeping the focus tight and

the codebase small enough to often fly under the radar.

POS malware analysis is largely hindered due to legislative barriers surrounding law

enforcement investigations, and new samples are often not freely distributed. The

withholding of some technical details can also convolute any analysis and has the potential to

distort any attribution. Despite press reporting claiming the Russian state was behind large

data breaches in the U.S in order to destabilise the economy, POS malware can often be

directly attributed to criminal groups acting for financial gain. Albeit as examined code would

suggest often authored by Russian speaking individuals.

Future

POS malware adapts to the nature of the payment systems that it must operate within, so

future technology trends and innovation must be considered in order to predict the changing

threat landscape.

Payment Innovation

While most developed countries have moved to implement EMV technology in the past

decade, notably the US has been a late adopter due to the complexity of rolling out new

technology on the scale of the payment infrastructure. The implementation roadmap has a

deadline of October 2015 for merchants, however this is only the date when the card issuer

ceases to be liable for non-compliant POS systems. The initial implementation will also allow

‘Chip and Signature’ instead of a PIN.

EMV technology only protects against physically stolen cards and card counterfeiting

however, and while its implementation in the UK reduced in-store card fraud by 75% in 8

years, fraudsters merely changed attack vector, conducting transactions that do not require

the physical card. As a result of increasing e-commerce transaction volumes, card not present

fraud is in fact predicted to rise with or without the implementation of EMV. Advanced fraud

analytics can also assist, and had an impact after implementation in the UK during 2008, but

this can only help in mitigating losses once a breach has already occurred. In cases where POS

vendors have been breached, the lack of a common point of purchase hinders such analytics

even further.



Figure 10. Figures in millions (£) of UK credit card fraud and countermeasure implementation date.

While retailers adopting EMV will reap the benefits of reduced fraud risks, its implementation

is not a silver bullet to eliminate POS malware or lessen the impact of the large US data

breaches. Criminals have already developed a variant of a ‘replay’ attack targeting banks that

are in the process of upgrading their payment networks to handle EMV transactions,

leveraging the change process as a temporary vulnerability. Additionally, the October deadline

will be well known in criminal circles and a surge in POS malware is possible as malware authors

rush to release new variants, however further development after this date will continue to

provide returns for criminal organisations.

Mobile payments & POS System Development

Innovation in retail technology is now allowing enterprises to re-imagine the physical layout

of a store, changing the manner in which employees and customers interact and pay for goods

and services. The rise of digital marketing and e-commerce has also driven the building of

digital identity at point of sale, and additional data such as email and phone numbers are now

frequently collected in this manner. Web-based mobile POS (mPOS) technology deployed on

internet-enabled devices can remove the requirement for large sales counters and is

affordable for even small retailers. A card reader attached via Bluetooth or an audio jack

facilitates the transaction, and as most mPOS devices use Android or iOS operating systems,

this could initially limit risk exposure as most current POS malware is not written for these

platforms. However POS malware authors have demonstrated intent and capability to target

individual businesses, and in driving POS transactions to be as swift and enjoyable as possible,

there is a risk that the security of new features may be overlooked.



Figure 11. mPOS and mobile payment devices.

Likewise, the uptake of Near Field Communication (NFC) and digital wallet technology using

tokenization and virtual credit cards opens up various new vulnerabilities of their own, but

importantly does protect the credit card data. This will not hinder POS malware operating, but

it potentially makes the data available through RAM scraping far less valuable, as the

authentication takes place on the device not the POS terminal, and no card details are

transferred. It is also possible for merchants to employ secure POS devices, capable of

enabling Point-to-Point Encryption (P2PE) immediately from the initial card swipe, and

therefore denies POS malware from scraping any unencrypted data. However as banks

generally charge a per transaction fee for this service, it is often not viable for small retailers,

and widespread uptake of any changes at POS will not occur in the short term.

Operating System Upgrades

Despite the launch of Windows 8 variant, ‘Windows Embedded POSReady 8’ in 2013, many

POS systems still run POS variants of Windows XP. Unlike Desktop support for Windows XP,

support for Embedded Windows XP for POS continues until 2016, and will likely be in

widespread use for long after this date, particularly in small businesses. Existing malware will

therefore be able to be repurposed for POS targets for some time to come, lowering the barrier

to enter the field for malware authors. The more advanced variants of POS malware have

already been observed on current versions of Windows, and it is likely this source code will be

widely available to criminals before most POS systems upgrade to more advanced OS.

PCI-DSS

As the research has demonstrated, even a PCI-DSS compliant organisation can be vulnerable

to POS malware. Therefore while the standard is useful for implementing layered security, it

must be viewed from a risk standpoint as opposed to merely a compliance level to achieve,

and also consider additional out of band security controls. Additionally, much of the guidance

on controls protecting cardholder data has only been considered best practise, and measures



such as protecting POS systems from physical tampering only become mandatory on 30th

June 2015.

Mitigation Measures

Control measures exist that prevent POS malware from stealing payment card data, although

they will not be suitable for organisations of all sizes and business vertical, however while the

malware has evolved, the methods used to penetrate the network are largely similar.

Exfiltration methods however are often based on detailed knowledge of the network, ensuring

the need to be especially vigilant, assuming the network has already been penetrated.

Basic security hygiene and awareness of threat landscape

Basic training regarding phishing, password policy and remote access for example would keep

employees alert to threats. Simple network hardening through patching, privilege

management, monitoring for changes to Registry keys, and application control will likewise

prevent many threats. Keeping up to date of all latest threat vectors, signatures and

exfiltration methods will enable optimal configuration of POS and network controls.

Supply chain and POS vendor selection

If POS services are to be outsourced, the chosen vendor should be contractually bound to

conduct of appropriate security measures, many data breaches have been conducted by

attackers using default passwords on vendors’ remote access tools. Anticipation of a breach

scenario will assist in creation of contractual areas such as responsibility, escalation and

liability limitations.

Segmented networks and monitoring

While external communication is a functional necessity for POS systems to transmit data and

update software, the cardholder data environment should be segregated as much as possible.

It is also good practice to assume a breach has already occurred and scrutinise outgoing traffic

as much as inbound. Variants only becoming active in business hours and exfiltrating data via

DNS, mailslots or hiding in plain sight within normal network traffic ensures that to be

protected, organisations must remain vigilant.

Point-to-point encryption

Removes the opportunity for RAM scraping malware to obtain track data by encrypting from

the initial swipe; if implementation is viable.



Two-factor authentication

Restrict number of users able to access the CDE, and implement two-factor authentication at

all entry points.

Mobile payment methods

Although not in wide use the use of payment systems such as Apple pay and Google wallet

never actually reveal the consumers card details to the merchant over the POS system,

instead using tokenisation or a virtual card system.

Fraud Analytics

Banks have developed algorithms to model normal card usage per customer and therefore

subsequently be capable of identifying anomalous, possibly fraudulent behaviour after it has

occurred.



ANNEX A – POS MALWARE VARIANTS

BlackPOS

Media coverage of the Target data breach highlighted the use of the malware BlackPOS.

Developed by 17-year old Russian hacker Sergey Taraspov in 2010, variants were sold on

underground forums for as little as $2000 after the source code was leaked online. The

malware had been part of a wide-ranging criminal operation that from the Target data alone

was expected to generate $53.7 million.

BlackPOS variants search the process memory using several methods, either custom

searching for identifier bytes followed by the correct number of digits, or applying the search

to a given number of bytes at a time. Excess data can be collected using this method as the

results are written to a file on disk and the validation is designed to take place offline after

exfiltration. The data can be exfiltrated in various methods, and email or FTP have both been

observed. The design can be adapted to steal a wide range of data, such as supplementary

personal identifiable information for example, and the utility it affords combined with its

notoriety will likely see further uptake and evolution in the hands of cyber criminals.

LogPOS

While using the common RAM scraping module, the LogPOS variant of malware discovered in

January 2015 was found to have adapted a communication technique previously used by APT

groups. By utilising the IPC mailslot mechanism, the main executable acts as a server, while

code injected into multiple running processes acts a client and writes the card numbers found

to the mailslot. The executable compares running processes to a whitelist and if not present

injects shellcode, this parses for Track information and validates using the Luhn algorithm

before being sent out by the mailslot over HTTP. By using a mailslot in this manner it avoids

detection of stored credit card data strings in a file before it has been sent to a remote site.

FrameworkPOS

A variant of FrameworkPOS was responsible for the data breach at US retailer Home Depot,

compromising the details of 56 million credit and debit cards. Believed to have been created

to mimic some of the features of BlackPOS, it first achieves persistence through installation

of a windows service, then after checking the scanned process is not present on an exclusion

list will search the process memory. After writing discovered card data to a dump file it is

pushed to a samba share on the local network. Like BlackPOS, FrameworkPOS seems to be

off-the-shelf malware that attackers can tailor for specific target sets that they have a good

understanding of.



PwnPOS

Although only discovered by researchers in March 2015, the PwnPOS malware family is

thought to have been active in the wild for several years, and has since been noted in small

and medium sized businesses worldwide. By employing a simple construction of a RAM

scraper binary, and a second binary for data exfiltration the malware has gone un-noticed.

Data is exfiltrated using SMTP and differences in the binary are thought to suggest multiple

authors. Persistence is achieved by including parameters which can remove the malware from

services applet, a common place for anti-malware tools to enumerate malicious entries. The

file remains dormant in the %SYSTEM$ directory until activated, and although effective, using

this location does not future proof the malware beyond versions of Windows XP. The RAM

scraping function searches for strings of Track data and then conducts validation using the

Luhn algorithm before the exfiltration binary creates a Zip file and sends it to a pre-defined

email address with SSL and authentication before finally cleaning the files used.

Mozart

Reported as the malware family used in the Home Depot data breach, as with many other

variants it is thought to have been around for some time before it was discovered. It sets itself

up as a service for persistence and creates a temporary file to store data after being located

by the RAM scraper. Before they are stored, a function parses Track 1 and 2 data and then

uses Luhn for validation before encoding the card numbers in base64. The data stored in the

temporary file is then appended to a file with a hardcoded path in order for the criminal to

retrieve the data from multiple POS machines from one location. Mozart lurks in plain sight,

becoming active during 0900-1800 office hours and using file names that appear legitimate

were the only means of evasion necessary during the theft of 56 million credit card accounts.

PoSeidon

Discovered in the wild by Cisco in March 2015, PoSeidon combines some Trojan capabilities

with the commonly used RAM scraping and exfiltration techniques. It operates by first

establishing persistence, remaining possible on post-XP versions of Windows, then contacts a

C&C server to retrieve a URL from which to download a keylogger and RAM scraper binary. It

then uses the common method of cycling through all running processes not on a whitelist,

following up with Luhn validation and base 64 encoding, before sending out the data over

HTTP, commonly servers located in Russia.

Chewbacca

Found to have infected POS terminals in US retailers in early 2014, Chewbacca also

incorporates keylogger functionality in a relatively simple package with little in the way of

defence mechanisms. After parsing memory it stores the card data a file called system.log.

The communication with the C&C server is handled through the TOR network, sending out the



data over HTTP and with a server side control panel enabling the controller to manage the

botnet and review the stolen card data.

FighterPOS

This POS malware, discovered in April 2015 is the result of a one-man criminal operation,

supposedly a Chilean named ‘AlenjandoV’, and is responsible for stealing more than 22,000

card records from Brazil, Canada and the U.S in just one month. Its author has developed

features from the VnLoader botnet malware, to enable features that can control infected POS

terminals and conduct DDoS attacks. While the RAM scraping component is thought to have

been developed from the NewPOSThings malware, and the finished product retails for around

£3,500 (€5,000). Although written in the outdated Microsoft Visual Basic 6, it still is observed

to function on fully patched systems. It communicates with a C&C server through HTTP,

checking running processes against a list before redirecting the scraped data to a .txt file,

encrypting with the Rijndael algorithm before sending back to the C&C server.

trend report point of sale (pos) malware › wp-content › uploads › 2015 › 06 › ...reported,...

Documents