POS (Point of Sale) intrusion attacks have become a major trend over the last year. Cyber-criminals are increasingly improving their methods to target innocent victims. Instead of infecting thousands of individual computers, cyber-criminals can now get the same output by attacking just a few POS systems with specially designed malware. And therefore, POS malware attacks are on a rise these days. The popular victims include Goodwill, Target, Neiman Marcus, White Lodging, Michaels and UPS store.
These attack showed the real threat that POS based devices can pose to the retail marketplace. Small businesses are specifically vulnerable to these threats, and therefore it has become even more significant to strengthen the system security.
How a POS intrusion happens?
A POS intrusion happens when a card is swiped at a terminal in a retail store/mall etc., during an ecommerce transaction. Some of the popular methods through which such attacks happened were brute force attacks, stolen credentials and RAM-scraping malware.
Most POS systems are Windows-based, making it comparatively simpler to create malware to run on them. They are also vulnerable to attacks as these devices are open to the web and are mostly protected with weak passwords. From the last 1 year, four different POS threats came into notice which included Chewbacca, Dexter, RAM scrapers and recently Backoff.
Chewbacca malware runs on Microsoft Windows. It utilizes key-logger and memory scraping/parsing functionality to execute the attack. The Chewbacca malware basically installs a copy of itself in the Windows startup folder, with the file named “spoolsv.exe”. As it currently has no defined mechanism, deleting the malicious spoolsv.exe executable and rebooting the infected machine will remove the malware.
The Dexter malware is injected into files hosted on Windows servers. It steals the process list from the infected machine, seeking for Track 1 / Track 2 credit card data. Cyber-criminals make use of this data to replicate credit cards used in the targeted POS device.
RAM scrapers malware is specially designed to scrape RAM data and get access to payment details such as card numbers, usernames, addresses, security codes, and all the other Track 1 / Track 2 credit card data.
However, Backoff is injected into explorer.exe. This malware is responsible for scraping memory from infected POS systems and searching for track data. It also uses Keylogging functionality to execute the attack. Additionally, Backoff has a C2 component that uploads data onto hacker’s server, updates the malware, and downloads/executes malware as well as installs further malware.
POS malware exploits the loophole in the security of how card data is handled. However, card data is encrypted when it is sent for payment authorization, but it is not encrypted when the card is swiped at the retail store. Cyber-criminals first exploited this security gap in 2005, that’s when the data of 170 million card numbers were stolen.
What Should a Retailer do?
- Retail companies must make use of reliable antivirus software to keep their POS systems safe from any kind of infections.
- Retail companies must keep all software running on the customer-facing networks up-to-date latest security patches and software updates
- Retailers should set a strong password for all their POS devices and change the default ones. Passwords must be changed regularly.
- Retail companies should also secure the connections that allow remote access with two factor authentication.
- The PCI Council recommended that companies must use card processing devices that encrypt data immediately after it is captured.