SlideShare ist ein Scribd-Unternehmen logo

Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

Symantec
Symantec

Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.

Software
1 von 12
Downloaden Sie, um offline zu lesen
Point of Sale (POS) Malware Easy to Spot, Hard to Stop Darian Lewis Sr. Threat Researcher Managed Security Services SYMANTEC
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolving POS Malware. . . . . . . . . . . . . . . . . . . . 3 Common POS Malware. . . . . . . . . . . . . . . . . . . 4 Alina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 VSkimmer. . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Breaching the Perimeter. . . . . . . . . . . . . . . . . . 8 Mitigation and Best Practices. . . . . . . . . . . . . . 9 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Point of Sale (POS) Malware
SYMANTEC MSS3 Introduction Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached— and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1 This whitepaper takes an in-depth look at: • The evolution of Point-Of-Sale (POS) malware • How attackers breach the organization • What should be done to mitigate breach losses • How to proactively detect POS malware Evolving POS Malware Although the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates. A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to- peer variant of the Zeus malware that has been around since 2007. All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move- ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to do—capture the track information from the magnetic stripe on credit and debit cards. With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac- tion server or payment processor. The identity theft chain then continues with money drained from ac- counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information. 3
SYMANTEC MSS4 Common POS Malware The common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa- tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus: • Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes. • Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa- tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST. • BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via FTP. • BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP. • ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA. • Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP. • Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor- mation. Exfiltration and C2 accomplished via HTTP. • GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system. • JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2. • LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration. • NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST. • RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes. • Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing remote access for exfiltration. • Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks in with hardcoded C2 server and exfiltrates every 5 minutes. • vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2 accomplished via HTTP or USB. 4
SYMANTEC MSS5 SymantecTracks KnownThreatsAsThey EvolveandAppear… …WhilealsoIdentifyingand NullifyingtheIncreasing ProliferationofNewThreats. 2009 2010 2011 2012 2013 2014 2015 Malware Discovery Date RawPOS Observed 2.10.13 AV Detection: 2.18.14 Rdasrv AV Detection: 6.6.14 BrutPos Observed 3.1.14 AV Detection: 3.12.14 BlackPos v2 Observed 8.29.14 AV Detection: 12.19.13 JackPOS Observed 2.1.14 AV Detection: 2.8.14 Backoff Observed 3.20.14 AV Detection: 7.31.14 LusyPOS Observed 12.1.14 AV Detection: 12.12.12 GetMyPass Observed 11.26.14 AV Detection: 11.27.14 Soraya Observed 6.1.14 AV Detection: 6.4.14 Alina(Kaptoxa) AV Detection: 2.10.13 Dexter Observed: 12.11.13 AV Detection: 12.12.12 vSkimmer Observed: 3.21.13 AV Detection: 1.26.13 Decebal Observed: 1.3.114 AV Detection: 9.11.14 NewPoSThings Observed: 9.4.14 BlackPOS (Kaptoxa) AV Detection: 3.29.13 ChewBacca Observed: 10.1.13 AV Detection: 12.18.13 5
SYMANTEC MSS6 Alina Dozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat- tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good news—not many criminals who buy this malware bother to change it. Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run- ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal- ware, linking them in a not yet fully understood way. Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad- dress has been active since August 2013, although it doesn’t appear to have been actively used during the lifetime of this malware. BlackPOS BlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from this server as well. Criminals make the malware as easy to use as possible, even building full-featured ad- min panels as shown in Figure 1 for BlackPOS. Figure 1: BlackPOS admin panel (Source: Group I-B)3 6
SYMANTEC MSS7 VSkimmer VSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami- lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: ‘;?[3-9]{1}[0-9]{12,19}[D=u0061][0-9]{10-30}?? ‘. This malware family uses HTTP to exfil- trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name if no Internet connection is available. The connections to its C2 are easy to see on the network in the form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing ‘|az|#.#.#|#.#.#|text|text|0’. Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal- ing credit and debit card information. Figure 2: VSkimmer bot control panel (Source: McAfee)4 Figure 3: VSkimmer terminal browser (Source: McAfee)4 7
SYMANTEC MSS8 Breaching the Perimeter Malware that targets POS systems relies on many of the same highly effective infection vectors and tech- niques as typical generic malware. Many POS systems are based on widely available commercial operat- ing systems and standard hardware platforms thereby simplifying the development and distribution of POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low barrier to entry for criminals. The following represent some of the most common infection vectors facing retailers using POS systems today: Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at- tachment resulting in the compromise of the host computer. Even POS systems without Internet or email functionality are at risk of phishing compromise via proximity to more Internet accessible and infected desktop PCs and servers. Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le- gitimate remote access services already in place. Many POS systems employ remote desktop and remote administrative solutions designed to simplify management. Default or weak credentials are often used by attackers to access POS systems, once discovered on an organization’s network. Such credentials can also be stolen from other infected machines or businesses, including the POS hardware vendors and contrac- tors employed by a retailer. Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza- tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems. Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra- tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice the opportunity to discover POS malware. 8
SYMANTEC MSS9 Mitigation and Best Practices Defending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every level of an organization to minimize the chances of initial infection, malware lateral spread and sensi- tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in securing a business against a POS malware infection and resulting breach. Mitigation Techniques • Harden remote accessibility on POS systems – Proper credential management (implementation of least privilege), disuse of factory default passwords on POS devices, general password complex- ity requirements, disabling of remote access services where possible and limitation of visibility to remote access interfaces/ports. • Implement endpoint security software and secure configurations – Employ antivirus software and, where applicable, apply application whitelisting. This may catch known malware samples, stop sus- picious behavior and prevent unauthorized applications from executing on a POS system. Systems should also be configured in a manner appropriate for their roles, including the disabling of operat- ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices, startup/registry modifications, etc.). • Train POS system users and limit activity – Systems responsible for the collection of customer financial data should be used only for the intended function; users of these systems should not have Internet access, the ability to read email or a way to execute downloaded programs. Corporate compliance requirements and information security policies should be strictly adhered to on POS systems. • Ensure effective monitoring of all portions of the network – In the event of an attack or compromise, the ability to moni- tor the attack and provide quick incident response will limit sensitive data leakage. Including both POS systems and the surrounding infrastructure in monitoring is crucial. • Employ proper network segmentation and filtering – POS system networks should be segregated from other por- tions of the network, with the intent to limit exposure to both the Internet and unrelated systems. Data loss prevention filtering may also prevent data from being exfiltrated from an organization. • Comply with PCI requirements and security best practices – All customer financial data should be handled according to compliance standards. All sensitive data should be encrypted and sent securely between approved systems. • Keep equipment and payment technology up to date – Obsolete and end-of-life POS equipment should be retired in favor of modern systems with vendor support (i.e., new payment technologies with ad- ditional security measures). “A global Symantec study shows that a major- ity of employees think it is ac- ceptable to transfer corporate data outside the company and they never delete the data, leav- ing it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.”5 – Symantec Feb. 6, 2013 9
SYMANTEC MSS10 Detection Detecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and server systems. However, POS systems face unique challenges when it comes to available security tools. Securing computers and networks is usually accomplished with antivirus, perimeter security devices and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in exploitation and eventual infection. General Detection Mechanisms for POS Systems • Some endpoint antivirus software sensitive to suspicious applications and known malware samples may prevent or complicate infection by an attacker. Such software may block and report this activity to a central security system. • Network traffic monitoring may highlight brute force access attempts, remote access sessions, C2 communications and data exfiltration via anomaly detection. POS systems should be included in monitored network segments and protected by the same devices in place for more traditional systems. Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection • Symantec consumes security intelligence on a wide variety of threats from numerous internal and external locations, sensors and partners around the world. When new POS malware is discovered, detection is implemented quickly on both endpoint products and through the MSS service. • All available indicators of compromise involving POS malware are implemented and alerted for all affected customers. In many cases, historical detects based on stored log data (up to 92 days) are performed to discover previously unknown malware activity. • POS malware signatures released from vendors supported by Symantec MSS are automatically loaded into our system and used to generate incidents. Such detection varies by security device vendor, but is used as often as possible to enhance MSS coverage. • All malware families listed in this report are represented in current MSS signature sets. They are updated constantly as new malware samples and attack infrastructure are discovered. As these malware variants and their creators evolve, both Symantec and other security vendors continuously release new indicators of compromise. 10
SYMANTEC MSS11 References 1 Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01 2 Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf 3 Exclusive–Details on Investigation of Group-IB on New Age of POS Malware http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716 4 VSkimmer Botnet Targets Credit Card Payment Terminals http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals 5 Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01 11
SYMANTEC Managed Security Services About Symantec Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to www.symantec.com/managed-security-services/ or connect with Symantec at: https://twitter. com/symantecmss. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527-8000 1 (800) 721-3934 Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarksorregisteredtrademarksofSymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. https://twitter.com/symantecmss Visit our blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services

Empfohlen

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?Bangladesh Network Operators Group
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 

Empfohlen

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?Bangladesh Network Operators Group
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machinePriyanka Aash
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos EndpointDeServ - Tecnologia e Servços
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Ids 001 ids vs ips
Ids 001 ids vs ipsIds 001 ids vs ips
Ids 001 ids vs ipsjyoti_lakhani
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionGiovanni Giovannelli
 
Project
ProjectProject
ProjectElizabeth Nunez
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14haney888
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final pptKomal Keshwer
 

Weitere ähnliche Inhalte

Was ist angesagt?

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machinePriyanka Aash
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionGiovanni Giovannelli
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 

Was ist angesagt? (19)

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos Endpoint
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Ids 001 ids vs ips
Ids 001 ids vs ipsIds 001 ids vs ips
Ids 001 ids vs ips
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser Protection
 
Project
ProjectProject
Project
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 

Ähnlich wie Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14haney888
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final pptKomal Keshwer
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 
wp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scraperswp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scrapersNumaan Huq
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelInnesGerrard
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokeshLokesh Bysani
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineRapidSSLOnline.com
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecCheapSSLsecurity
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatRobert Leong
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfLucaMartins7
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareSymantec
 

Ähnlich wie Point of Sale (POS) Malware: Easy to Spot, Hard to Stop (20)

Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
wp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scraperswp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scrapers
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Ransomware
RansomwareRansomware
Ransomware
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdf
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 

Mehr von Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 

Mehr von Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 

Kürzlich hochgeladen

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 

Kürzlich hochgeladen (20)

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 

Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

  • 1. Point of Sale (POS) Malware Easy to Spot, Hard to Stop Darian Lewis Sr. Threat Researcher Managed Security Services SYMANTEC
  • 2. 2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolving POS Malware. . . . . . . . . . . . . . . . . . . . 3 Common POS Malware. . . . . . . . . . . . . . . . . . . 4 Alina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 VSkimmer. . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Breaching the Perimeter. . . . . . . . . . . . . . . . . . 8 Mitigation and Best Practices. . . . . . . . . . . . . . 9 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Point of Sale (POS) Malware
  • 3. SYMANTEC MSS3 Introduction Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached— and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1 This whitepaper takes an in-depth look at: • The evolution of Point-Of-Sale (POS) malware • How attackers breach the organization • What should be done to mitigate breach losses • How to proactively detect POS malware Evolving POS Malware Although the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates. A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to- peer variant of the Zeus malware that has been around since 2007. All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move- ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to do—capture the track information from the magnetic stripe on credit and debit cards. With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac- tion server or payment processor. The identity theft chain then continues with money drained from ac- counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information. 3
  • 4. SYMANTEC MSS4 Common POS Malware The common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa- tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus: • Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes. • Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa- tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST. • BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via FTP. • BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP. • ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA. • Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP. • Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor- mation. Exfiltration and C2 accomplished via HTTP. • GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system. • JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2. • LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration. • NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST. • RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes. • Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing remote access for exfiltration. • Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks in with hardcoded C2 server and exfiltrates every 5 minutes. • vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2 accomplished via HTTP or USB. 4
  • 5. SYMANTEC MSS5 SymantecTracks KnownThreatsAsThey EvolveandAppear… …WhilealsoIdentifyingand NullifyingtheIncreasing ProliferationofNewThreats. 2009 2010 2011 2012 2013 2014 2015 Malware Discovery Date RawPOS Observed 2.10.13 AV Detection: 2.18.14 Rdasrv AV Detection: 6.6.14 BrutPos Observed 3.1.14 AV Detection: 3.12.14 BlackPos v2 Observed 8.29.14 AV Detection: 12.19.13 JackPOS Observed 2.1.14 AV Detection: 2.8.14 Backoff Observed 3.20.14 AV Detection: 7.31.14 LusyPOS Observed 12.1.14 AV Detection: 12.12.12 GetMyPass Observed 11.26.14 AV Detection: 11.27.14 Soraya Observed 6.1.14 AV Detection: 6.4.14 Alina(Kaptoxa) AV Detection: 2.10.13 Dexter Observed: 12.11.13 AV Detection: 12.12.12 vSkimmer Observed: 3.21.13 AV Detection: 1.26.13 Decebal Observed: 1.3.114 AV Detection: 9.11.14 NewPoSThings Observed: 9.4.14 BlackPOS (Kaptoxa) AV Detection: 3.29.13 ChewBacca Observed: 10.1.13 AV Detection: 12.18.13 5
  • 6. SYMANTEC MSS6 Alina Dozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat- tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good news—not many criminals who buy this malware bother to change it. Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run- ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal- ware, linking them in a not yet fully understood way. Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad- dress has been active since August 2013, although it doesn’t appear to have been actively used during the lifetime of this malware. BlackPOS BlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from this server as well. Criminals make the malware as easy to use as possible, even building full-featured ad- min panels as shown in Figure 1 for BlackPOS. Figure 1: BlackPOS admin panel (Source: Group I-B)3 6
  • 7. SYMANTEC MSS7 VSkimmer VSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami- lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: ‘;?[3-9]{1}[0-9]{12,19}[D=u0061][0-9]{10-30}?? ‘. This malware family uses HTTP to exfil- trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name if no Internet connection is available. The connections to its C2 are easy to see on the network in the form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing ‘|az|#.#.#|#.#.#|text|text|0’. Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal- ing credit and debit card information. Figure 2: VSkimmer bot control panel (Source: McAfee)4 Figure 3: VSkimmer terminal browser (Source: McAfee)4 7
  • 8. SYMANTEC MSS8 Breaching the Perimeter Malware that targets POS systems relies on many of the same highly effective infection vectors and tech- niques as typical generic malware. Many POS systems are based on widely available commercial operat- ing systems and standard hardware platforms thereby simplifying the development and distribution of POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low barrier to entry for criminals. The following represent some of the most common infection vectors facing retailers using POS systems today: Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at- tachment resulting in the compromise of the host computer. Even POS systems without Internet or email functionality are at risk of phishing compromise via proximity to more Internet accessible and infected desktop PCs and servers. Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le- gitimate remote access services already in place. Many POS systems employ remote desktop and remote administrative solutions designed to simplify management. Default or weak credentials are often used by attackers to access POS systems, once discovered on an organization’s network. Such credentials can also be stolen from other infected machines or businesses, including the POS hardware vendors and contrac- tors employed by a retailer. Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza- tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems. Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra- tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice the opportunity to discover POS malware. 8
  • 9. SYMANTEC MSS9 Mitigation and Best Practices Defending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every level of an organization to minimize the chances of initial infection, malware lateral spread and sensi- tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in securing a business against a POS malware infection and resulting breach. Mitigation Techniques • Harden remote accessibility on POS systems – Proper credential management (implementation of least privilege), disuse of factory default passwords on POS devices, general password complex- ity requirements, disabling of remote access services where possible and limitation of visibility to remote access interfaces/ports. • Implement endpoint security software and secure configurations – Employ antivirus software and, where applicable, apply application whitelisting. This may catch known malware samples, stop sus- picious behavior and prevent unauthorized applications from executing on a POS system. Systems should also be configured in a manner appropriate for their roles, including the disabling of operat- ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices, startup/registry modifications, etc.). • Train POS system users and limit activity – Systems responsible for the collection of customer financial data should be used only for the intended function; users of these systems should not have Internet access, the ability to read email or a way to execute downloaded programs. Corporate compliance requirements and information security policies should be strictly adhered to on POS systems. • Ensure effective monitoring of all portions of the network – In the event of an attack or compromise, the ability to moni- tor the attack and provide quick incident response will limit sensitive data leakage. Including both POS systems and the surrounding infrastructure in monitoring is crucial. • Employ proper network segmentation and filtering – POS system networks should be segregated from other por- tions of the network, with the intent to limit exposure to both the Internet and unrelated systems. Data loss prevention filtering may also prevent data from being exfiltrated from an organization. • Comply with PCI requirements and security best practices – All customer financial data should be handled according to compliance standards. All sensitive data should be encrypted and sent securely between approved systems. • Keep equipment and payment technology up to date – Obsolete and end-of-life POS equipment should be retired in favor of modern systems with vendor support (i.e., new payment technologies with ad- ditional security measures). “A global Symantec study shows that a major- ity of employees think it is ac- ceptable to transfer corporate data outside the company and they never delete the data, leav- ing it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.”5 – Symantec Feb. 6, 2013 9
  • 10. SYMANTEC MSS10 Detection Detecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and server systems. However, POS systems face unique challenges when it comes to available security tools. Securing computers and networks is usually accomplished with antivirus, perimeter security devices and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in exploitation and eventual infection. General Detection Mechanisms for POS Systems • Some endpoint antivirus software sensitive to suspicious applications and known malware samples may prevent or complicate infection by an attacker. Such software may block and report this activity to a central security system. • Network traffic monitoring may highlight brute force access attempts, remote access sessions, C2 communications and data exfiltration via anomaly detection. POS systems should be included in monitored network segments and protected by the same devices in place for more traditional systems. Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection • Symantec consumes security intelligence on a wide variety of threats from numerous internal and external locations, sensors and partners around the world. When new POS malware is discovered, detection is implemented quickly on both endpoint products and through the MSS service. • All available indicators of compromise involving POS malware are implemented and alerted for all affected customers. In many cases, historical detects based on stored log data (up to 92 days) are performed to discover previously unknown malware activity. • POS malware signatures released from vendors supported by Symantec MSS are automatically loaded into our system and used to generate incidents. Such detection varies by security device vendor, but is used as often as possible to enhance MSS coverage. • All malware families listed in this report are represented in current MSS signature sets. They are updated constantly as new malware samples and attack infrastructure are discovered. As these malware variants and their creators evolve, both Symantec and other security vendors continuously release new indicators of compromise. 10
  • 11. SYMANTEC MSS11 References 1 Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01 2 Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf 3 Exclusive–Details on Investigation of Group-IB on New Age of POS Malware http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716 4 VSkimmer Botnet Targets Credit Card Payment Terminals http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals 5 Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01 11
  • 12. SYMANTEC Managed Security Services About Symantec Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to www.symantec.com/managed-security-services/ or connect with Symantec at: https://twitter. com/symantecmss. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527-8000 1 (800) 721-3934 Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarksorregisteredtrademarksofSymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. https://twitter.com/symantecmss Visit our blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services