Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.”
The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers.
The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty.
Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.
3. SYMANTEC MSS3
Introduction
Most organizations worry that they will be the next company showing up on the evening news as the
“worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached—
and if you’ll know it happened before you read it in the press along with your customers.
The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer
trust and loyalty.
Mistakes made by people and systems are the main causes of data breach. Together, human errors and
system problems account for 64 percent of data breaches.1
This whitepaper takes an in-depth look at:
• The evolution of Point-Of-Sale (POS) malware
• How attackers breach the organization
• What should be done to mitigate breach losses
• How to proactively detect POS malware
Evolving POS Malware
Although the first POS malware is still in use and effective, POS malware is still being written, and the
oldest POS malware is getting new evasion technology updates.
A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the
organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to-
peer variant of the Zeus malware that has been around since 2007.
All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack
on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can
come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware.
Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to
obtain even the best passwords and allow attackers to move laterally across the network. Lateral move-
ment within the network, compromising hosts as they move, allows the attackers to achieve their end
goal of access to POS terminals. The POS malware then does what it was designed to do—capture the
track information from the magnetic stripe on credit and debit cards.
With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and
debit card track information. They obtain the information when it is at its weakest point in the system,
unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or
debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac-
tion server or payment processor. The identity theft chain then continues with money drained from ac-
counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware
obtained online, set up with the stolen information.
3
4. SYMANTEC MSS4
Common POS Malware
The common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information
as quickly and covertly as possible. While some design details separate one variant from another, most
malware can be identified easily. In order to illustrate the scope of the problem, below is a representa-
tive list of some known POS malware and the AV signatures by which the malware will be detected using
Symantec Antivirus:
• Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses
simple HTTP for data exfiltration and command and control (C2) purposes.
• Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa-
tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST.
• BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via
FTP.
• BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via
HTTP POST and stolen data exfiltration via FTP.
• ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses
The Onion Router (TOR) for C2. Also known as FYSNA.
• Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information.
C2 via HTTP POST. Basic stolen data encoding and upload via HTTP.
• Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor-
mation. Exfiltration and C2 accomplished via HTTP.
• GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2
functionality; requires previously established control of infected system.
• JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via
base64 encoded HTTP POST and simple C2.
• LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The
Onion Router (TOR) for C2 and exfiltration.
• NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password
location. Encrypted data exfiltration and C2 accomplished via HTTP POST.
• RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes.
• Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing
remote access for exfiltration.
• Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks
in with hardcoded C2 server and exfiltrates every 5 minutes.
• vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2
accomplished via HTTP or USB.
4
5. SYMANTEC MSS5
SymantecTracks
KnownThreatsAsThey
EvolveandAppear…
…WhilealsoIdentifyingand
NullifyingtheIncreasing
ProliferationofNewThreats.
2009 2010 2011 2012 2013 2014 2015
Malware Discovery Date
RawPOS
Observed 2.10.13
AV Detection: 2.18.14
Rdasrv
AV Detection: 6.6.14
BrutPos
Observed 3.1.14
AV Detection: 3.12.14
BlackPos v2
Observed 8.29.14
AV Detection: 12.19.13
JackPOS
Observed 2.1.14
AV Detection: 2.8.14
Backoff
Observed 3.20.14
AV Detection: 7.31.14
LusyPOS
Observed 12.1.14
AV Detection: 12.12.12
GetMyPass
Observed 11.26.14
AV Detection: 11.27.14
Soraya
Observed 6.1.14
AV Detection: 6.4.14
Alina(Kaptoxa)
AV Detection: 2.10.13
Dexter
Observed: 12.11.13
AV Detection: 12.12.12
vSkimmer
Observed: 3.21.13
AV Detection: 1.26.13
Decebal
Observed: 1.3.114
AV Detection: 9.11.14
NewPoSThings
Observed: 9.4.14
BlackPOS (Kaptoxa)
AV Detection: 3.29.13
ChewBacca
Observed: 10.1.13
AV Detection: 12.18.13
5
6. SYMANTEC MSS6
Alina
Dozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early
2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can
be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat-
tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be
returned. This return code is user-editable in the malware configuration, though, and may return a false
positive detection if used alone. The good news—not many criminals who buy this malware bother to
change it.
Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run-
ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and
get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal-
ware, linking them in a not yet fully understood way.
Researchers have reported a number of references to an active bitcoin wallet address.2
The wallet ad-
dress has been active since August 2013, although it doesn’t appear to have been actively used during
the lifetime of this malware.
BlackPOS
BlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s
magnetic stripe, as most POS malware does. This information is then sent to another compromised
server within the organization. This is done for evasion and because POS systems almost never have, nor
should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2
server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly
observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from
this server as well.
Criminals make the malware
as easy to use as possible,
even building full-featured ad-
min panels as shown in Figure
1 for BlackPOS.
Figure 1: BlackPOS admin
panel (Source: Group I-B)3
6
7. SYMANTEC MSS7
VSkimmer
VSkimmer has been around for some time, appearing to have been written in 2012 and discovered in
March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami-
lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in
memory: ‘;?[3-9]{1}[0-9]{12,19}[D=u0061][0-9]{10-30}?? ‘. This malware family uses HTTP to exfil-
trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name
if no Internet connection is available. The connections to its C2 are easy to see on the network in the
form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing
‘|az|#.#.#|#.#.#|text|text|0’.
Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This
keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal-
ing credit and debit card information.
Figure 2: VSkimmer bot control panel (Source: McAfee)4
Figure 3: VSkimmer terminal browser (Source: McAfee)4
7
8. SYMANTEC MSS8
Breaching the Perimeter
Malware that targets POS systems relies on many of the same highly effective infection vectors and tech-
niques as typical generic malware. Many POS systems are based on widely available commercial operat-
ing systems and standard hardware platforms thereby simplifying the development and distribution of
POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low
barrier to entry for criminals.
The following represent some of the most common infection vectors facing retailers using POS systems
today:
Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration
facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent
results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at-
tachment resulting in the compromise of the host computer. Even POS systems without Internet or email
functionality are at risk of phishing compromise via proximity to more Internet accessible and infected
desktop PCs and servers.
Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le-
gitimate remote access services already in place. Many POS systems employ remote desktop and remote
administrative solutions designed to simplify management. Default or weak credentials are often used by
attackers to access POS systems, once discovered on an organization’s network. Such credentials can also
be stolen from other infected machines or businesses, including the POS hardware vendors and contrac-
tors employed by a retailer.
Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used
beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely
scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza-
tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems.
Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra-
tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating
the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice
the opportunity to discover POS malware.
8
9. SYMANTEC MSS9
Mitigation and Best Practices
Defending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every
level of an organization to minimize the chances of initial infection, malware lateral spread and sensi-
tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in
securing a business against a POS malware infection and resulting breach.
Mitigation Techniques
• Harden remote accessibility on POS systems – Proper credential management (implementation
of least privilege), disuse of factory default passwords on POS devices, general password complex-
ity requirements, disabling of remote access services where possible and limitation of visibility to
remote access interfaces/ports.
• Implement endpoint security software and secure configurations – Employ antivirus software and,
where applicable, apply application whitelisting. This may catch known malware samples, stop sus-
picious behavior and prevent unauthorized applications from executing on a POS system. Systems
should also be configured in a manner appropriate for their roles, including the disabling of operat-
ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices,
startup/registry modifications, etc.).
• Train POS system users and limit activity – Systems responsible for the collection of
customer financial data should be used only for the intended function; users
of these systems should not have Internet access, the ability to read email
or a way to execute downloaded programs. Corporate compliance
requirements and information security policies should be strictly
adhered to on POS systems.
• Ensure effective monitoring of all portions of the network – In
the event of an attack or compromise, the ability to moni-
tor the attack and provide quick incident response will limit
sensitive data leakage. Including both POS systems and the
surrounding infrastructure in monitoring is crucial.
• Employ proper network segmentation and filtering – POS
system networks should be segregated from other por-
tions of the network, with the intent to limit exposure
to both the Internet and unrelated systems. Data loss
prevention filtering may also prevent data from being
exfiltrated from an organization.
• Comply with PCI requirements and security best practices
– All customer financial data should be handled according to
compliance standards. All sensitive data should be encrypted
and sent securely between approved systems.
• Keep equipment and payment technology up to date – Obsolete
and end-of-life POS equipment should be retired in favor of modern
systems with vendor support (i.e., new payment technologies with ad-
ditional security measures).
“A global Symantec
study shows that a major-
ity of employees think it is ac-
ceptable to transfer corporate
data outside the company and
they never delete the data, leav-
ing it vulnerable to data leaks.
This illustrates the large extent to
which insiders contribute to data
breaches and how costly that
loss can be to organizations.”5
– Symantec
Feb. 6, 2013
9
10. SYMANTEC MSS10
Detection
Detecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and
server systems. However, POS systems face unique challenges when it comes to available security tools.
Securing computers and networks is usually accomplished with antivirus, perimeter security devices
and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in
exploitation and eventual infection.
General Detection Mechanisms for POS Systems
• Some endpoint antivirus software sensitive to suspicious applications and known malware samples
may prevent or complicate infection by an attacker. Such software may block and report this activity
to a central security system.
• Network traffic monitoring may highlight brute force access attempts, remote access sessions,
C2 communications and data exfiltration via anomaly detection. POS systems should be included
in monitored network segments and protected by the same devices in place for more traditional
systems.
Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection
• Symantec consumes security intelligence on a wide variety of threats from numerous internal and
external locations, sensors and partners around the world. When new POS malware is discovered,
detection is implemented quickly on both endpoint products and through the MSS service.
• All available indicators of compromise involving POS malware are implemented and alerted for all
affected customers. In many cases, historical detects based on stored log data (up to 92 days) are
performed to discover previously unknown malware activity.
• POS malware signatures released from vendors supported by Symantec MSS are automatically
loaded into our system and used to generate incidents. Such detection varies by security device
vendor, but is used as often as possible to enhance MSS coverage.
• All malware families listed in this report are represented in current MSS signature sets. They are
updated constantly as new malware samples and attack infrastructure are discovered. As these
malware variants and their creators evolve, both Symantec and other security vendors continuously
release new indicators of compromise.
10
11. SYMANTEC MSS11
References
1
Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors
http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01
2
Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns
http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf
3
Exclusive–Details on Investigation of Group-IB on New Age of POS Malware
http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716
4
VSkimmer Botnet Targets Credit Card Payment Terminals
http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals
5
Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong
http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01
11