The POS Malware Epidemic: The Most Dangerous Vulnerabilities and Malware
Point-of-sale
(POS) malware is an information security ailment that, within less than seven
years, reached colossal proportions and became more damaging to organizations
than almost any other threat. Although this threat is less sophisticated than
malware like banking Trojans, it can be hugely destructive due to the
following:
It
directly affects many of a brand’s customers.
It
becomes public immediately after being discovered, usually by someone outside
the victim organization.
Its
collateral damage involves customers, issuers, card associations and the
victim’s own service providers (insurance, anyone?).
I would
have collected some information about how much these card breaches cost the
victim organizations, but after we all witnessed the Target breach — its
detrimental financial results in both hard and soft costs, its damage to the
brand and its executive team and the never-ending legal mess it is still
struggling to resolve — I think we all get the point.
What
Target was a victim of, as well as many other retailers and card processors
that suffered a POS malware attack experienced, is the work of cybercriminals
and organized cyber gangs who went after card data from customer transactions.
The end goal is to rob the data and then use the card information in fraudulent
purchases.
POS
malware is actually a generic name for a growing number of Trojan families that
are designed to scrape point-of-sale terminals’ RAM memory. It is designed to
look for, grab and exfiltrate credit and debit card data from the endpoints
that process and store it.
The
notion of stealing payment card and PIN data is not new. Criminals always found
card data to be highly lucrative and still use a number of real-world crimes to
skim data in ATMs and card readers. They also try to compromise POS equipment
installed at brick-and-mortar retailers to have the data stolen and streamed to
them. Some criminals attempted sniffing data sent over Wi-Fi to
back-of-the-house servers, but at the end of the day, all those physical crime
scenarios demand deeper knowledge to tamper with the equipment and typically
involve an insider.
You can
easily infer that using POS malware is lucrative because it is considered a
much safer and simpler way for cybercriminals to get their hands on large
numbers of live payment cards without ever showing their face on security
cameras.
What Does POS Malware Do?
Interestingly
enough, POS Trojans all essentially work in the same way. They are called RAM
scrapers because they aim to scan certain parts of POS terminal memory, find
card data in there and send it to their botmaster.
Once a
card transaction goes through on the POS terminal side, the card’s data is
almost instantly stored on the endpoints the retailer has in place. In most
cases the data is encrypted, which is also a compliance requirement for
merchants. But while encryption is supposed to fully protect the data, there is
a split second in which it is still unencrypted as it waits for authorization
to complete, saved in process memory.
That
split second is the tiny window of opportunity POS Trojans use to attack. They
scan the RAM looking for card data and then scrape it from there, hence the
name “RAM scrapers.”
On the
technical level, POS RAM scrapers retrieve a list of running processes on the
endpoint that handles the data, they load inspect each process’s memory and
then they look for card data to grab from it. How did they figure out that they
should attack on the RAM level? Well, most application vendors do not encrypt
data in memory and for years have considered RAM to be safe. But today, RAM
scrapers are generally injected into running processes and can intercept
sensitive data from memory in an instant.
The
malware scrapes the track-one and track-two card data encoded into the magnetic
stripe. This data is valuable because it includes the card holder’s name,
primary card number and security code, as well as other information about
charge types permitted and some user details. Once they have the data, the
Trojan is configured to send it out on a predetermined time, intending to
appear as inconspicuous as possible, or it can be exfiltrated by the criminals
on demand. Past attacks have shown that the cybercriminals favor sending the
data to an intermediate location first and then collect it from there. This
process is most likely part of their way to conceal themselves from a potential
law enforcement investigation. This method was used in the Target breach, but
it is also used by more recent POS malware operations, in some cases even
sending the data to a number of places at the same time.
Sitting
stealthily on POS terminals or the servers that store the transaction data,
these Trojans can amass large numbers of cards and transmit them onward to the
attackers and, unless detected, cause more damage with every passing hour.
Read
this story here
The amount of information is stunning and also a gainful article for us. Keep sharing this kind of articles, Thank you.Retail POS System For Small Business Singapore
ReplyDelete