Understanding PoS Malware Infecting Retailers

Posted on by Fahmida Y. Rashid

By now you should be aware that cyber-criminals have struck at home improvement giant Home Depot and walked off with payment card details for millions of shoppers.

Brian Krebs, who first reported the breach on Tuesday, believes nearly every single Home Depot location has been affected, and that attackers have been stealing payment card details for several months. If true, the breach at Home Depot will eclipse Target’s in the number of shoppers impacted.

It seems as if we have a new retailer coming forward every week, one bad news after another. Target, Neiman Marcus, Michaels, UPS, P.F. Chang, to name a few, and we now have Home Depot. (And Goodwill, apparently.) For every single one of these breaches, malware had infected the point of sale systems and siphoned off credit card and debit card information. The malware was different in each case; Target was infected with BlackPOS and UPS was infected with Backoff. We don’t know yet what was behind Home Depot.

"We [the research community] are waiting for someone to leak the sample," said Numaan Huq, a senior threat researcher at Trend Micro’s Forward-Looking Threat Research (FTR) Team. Researchers expect to see a sample appear within the next 24-48 hours, which is about the length of time it took malware samples from earlier breaches to come to light, he said.

Huq spoke about PoS malware at the RSA Conference this past February. I caught up with him Wednesday for updates on his research and insights on what organizations are up against.

"I have been doing a lot of research on PoS malware since February,” Huq said. “There is a high number of new PoS malware that’s come out."

New, But Old, Too

These new families are reusing code and copying functionality from older families, Huq found. One sample he found was "a clone" of BlackPOS which has been updated with a faster search function. Even Backoff, the malware implicated in UPS and 1,000 other retailers, borrowed heavily from the older Alina.

Don’t make the mistake of thinking that PoS malware must be highly sophisticated and advanced. "It’s actually a simple malware," Huq says, as its primary goal is to get in the network by any means possible, search for credit card information, and transfer it out of the network. Some newer variants may encrypt the files before moving it to foil data leak prevention systems and similar tools looking for sensitive data. PoS malware is available on criminal forums for as low as $1,500 to $2,000, he noted.

Source code for some of the older malware, such as Decibel and BlackPOS has been leaked, which means anyone with some technical skill can grab the code. There are also WYSIWYG (What You See Is What You Get) toolkits. "You can build your own PoS malware in 30 seconds," Huq said.

"They don’t need to have fancy techniques because they are making lots of money with what they have right now," Huq said.

Talking Defenses

PoS malware isn’t new—there were attacks against hotels back in 2011. What is different now is the fact that attackers are targeting national brands instead of small businesses, Huq said. The criminal groups behind most of the PoS malware families are based out of Russia, Ukraine, and Romania. There is a lot of advance planning, but the payoff is tremendous for the criminals, he said.

PoS malware is really popular among cyber-criminals right now, so all organizations processing card payments—not just merchants—have to take steps to protect themselves. Larger ones who can afford it should add intrusion prevention/detection systems and breach detection tools to their existing defenses. Both large and small enterprises should be whitelisting their PoS systems and restricting how they can be used. Huq described how he saw a cashier at a small corner grocery story checking her email when she wasn’t ringing up purchases. "That was worrying," he said.

Organizations need to also check for existing infections. UPS reportedly checked its networks as soon as the Department of Homeland Security issued an alert about Backoff. Experts believe the breach was limited because UPS acted so promptly.

One way to do so is to monitor the network abnormal activities, such as files being moved and connections to unknown IP addresses and servers. “This is a really difficult problem,” Huq said, noting that enterprises with thousands of systems will have a lot of data to sift through. “None of this is easy to do.”

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs