Looking Back (and Forward) at PoS Malware

2014 became the year that placed PoS (point-of-sale) threats in the spotlight. Make no mistake—PoS threats have existed for years. However, the Target data breach last January was the first incident that made the general public notice this threat.

2014: the Year of PoS Malware

While the Target breach may have been the first PoS-related incident of 2014, it soon became clear that it wouldn’t be the last. By the end of the third quarter of the year, six new variants of PoS RAM scraper malware were found—the same number of variants found between 2011 to 2013.

What makes this development more interesting is that these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.  For example, Backoff is a predecessor of Alina. Backoff was reported to have been used in attacks aimed at Dairy Queen and United Parcel Service (UPS).

This is not to say that these were the only variants that were active in 2014. The much publicized breach experienced by Home Depot was linked to a known PoS family called BlackPoS—the same malware family used in the Target data breach. PoS malware was also spotted right before Thanksgiving weekend in the US—the weekend known for holiday shopping. Another PoS malware, called LusyPoS, was seen in Russian underground forums.

PoS-related Activities in the Underground

Due to the growing popularity of PoS RAM scrapers as a tool for quick monetary gain, development kits promptly started surfacing in the cybercriminal underground. One such tool is VSkimmer, a builder tool for PoS RAM scrapers that emerged in 2013.

After stealing credit card data via RAM scrapers, most scammer then proceed to sell the stolen credit cards in batches in forums. Transactions are completed using Bitcoins, Western Union, MoneyGram, Ukash, and WebMoney, among others, as these offer convenience and anonymity to both buyers and sellers.

Much like legitimate businesses, supply and demand affects the underground heavily. Different card brands have different unit prices in the underground carder marketplace based on availability and demand. Buying credit card data in bulk reduces the unit price, in some cases by up to 66%.

One curious discovery is that the unit price of Discover and American Express (AMEX) cards is higher than the unit price of Visa and MasterCard cards. This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, there is no definite reason why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data.

Expanded Targets

The expansion of PoS-related activities in 2014 also saw the expansion of targets. Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots.

Researchers from security firm Census presented data about PoS attacks targeting travelers at airports. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. The researchers were able to craft a simple attack that allowed them to scrape passenger information from these kiosks. Security firm IntelCrawler talked about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities.

Parking lots/garages became a popular target for scammers to steal payment information. A U.S. parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities. Another parking service, Park ‘N Fly, also suffered a data breach that saw stolen information used in schemes involving fraud. Another service, onestopparking.com, was the victim of the cybercrime gang behind the Target and Home Depot breaches.

The Future of PoS Attacks

So what does the future hold for PoS attacks?

With PoS RAM Scrapers becoming prominent threats, big businesses will be investing heavily into cybersecurity to prevent targeted attacks of this type. Cybercriminals will thus refocus on SMBs (small-medium businesses) as these may not necessarily have the cybersecurity budgets enterprises have to prevent PoS breaches. We will see a high volume of SMBs get compromised and collectively that might account for a bigger breach than compromising Enterprises.

Implementation of new measures like the new Europay, Mastercard and Visa (EMV) standards and the PCI DSS v3.0 compliance standards will significantly change the PoS playing field for cybercriminals. These two measures will come into full effect by October 2015— expect to see a decline in PoS data breaches as the cybercriminals attempt to figure out new efficient hacks into the upgraded systems and environments. It might take them a couple of months, possibly well into mid-2016, before they can start fully breaching the PoS environments again.

Given all of the above, cybercriminals are sure to find new methods for data breaches via third-party vendors who have access to enterprise/corporate networks. These will remain the weakest link in the chain and the ones which will be exploited the most as they will not have the same level of security as enterprises.

There has been a lot of law enforcement agency focus on investigating these data breaches but so far, no big arrests have been made. Some of these agencies will be closing investigations and making arrests that will make headlines.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Looking Back (and Forward) at PoS Malware

Read more: Looking Back (and Forward) at PoS Malware

Story added 21. January 2015, content source with full text you can find at link above.