Quick overview of the PoS Malware
In the past two years, stories of data breaches affecting companies’ PoS systems have kept everyone talking. The media hype sparked when a PoS RAM scraper was deemed responsible for the 148 million-dollar Target breach in 2014. But no one expected this to evolve into a more sophisticated, stealthy threat than the malware du jour.
Dubbed “Operation Black Atlas”, the broad-targeted campaign uses various known exploits and entry points to reach as many victims as possible, as opposed to going after individual users via social engineering or spear phishing attacks. This time, attackers have stepped up their game, introducing a new player in the data exfiltration process: the Gorynych botnet. Its primary role is to transfer stolen credit card data to outside servers, but also to avoid defensive software and install malicious payloads like BlackPOS, CenterPOS, Project Hook, and PwnPOS.
Using security tools easily attainable online, Black Atlas can easily overwhelm a small business’ cyber defenses.
“Operation Black Atlas has already spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop”, Trend Micro said in a blog post. “It continues to spread across small and medium-sized businesses across the globe”.
This is only one of the latest in a series of attacks that have plagued small and medium-sized companies this year. Unfortunately, SMBs remained primary attack targets in 2015. In the third quarter, they represented 45 percent of the incidents involving PoS malware, according to a report.
Quick overview of the most dangerous PoS threats exposed by security experts in 2015:
- NitlovePOS – captures and ex-filtrates payment card data by scanning the running processes of a compromised machine. It then sends this data to a webserver using SSL. (May 2015)
- Katrina – latest version of the prolific PoS malware Alina (a well-known PoS RAM scraper that was first discovered in 2012), was first spotted in underground forums in June 2015.
- FighterPoS – has affected more than 100 victim organizations in Brazil and stole 22,000 unique credit card numbers. (April 2015)
- MalumPoS – has collected data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries. It is configurable to target other systems such as Oracle Forms or Shift4 systems. (June 2015)
- GamaPoS – spreads through the Andromeda botnet and targets a wide-range of industries: pet care, theatre, furniture wholesale, home health care, online market stores, retail, records storage facility, employment agencies, credit union, restaurants, software developer for insurance and telecom and industrial supply distributors.
- Poseidon – communicates directly with command-and-control servers, self-updates to execute new code and has self-protection mechanisms guarding against reverse engineering.
7. ModPOS – highly modular malware (uploader/downloader, keylogger, RAM scraper, plugin installer) that uses multiple methods of obfuscation and encryption to evade even the most sophisticated security controls (alleged victims: Hilton and Starwood hotels).
How to strengthen security defenses?
Identifying and mitigating a point-of-sale breach is extremely difficult, that is why IT administrators should stay up to date with the latest developments in PoS malware and focus on prevention. In 2016, innovative cybercriminals will figure out new ways to exploit holes found in PCI DSS requirements and breach systems by crafting new data-gathering and exfiltration techniques.
And despite having limited in-house resources as compared to larger organizations, SMBs need to tackle the same advanced cyber-threats.
Here are ten practical steps to make sure your company stays breach-free in the following year:
- Practice network segmentation via firewalls and isolate the cardholder data environment from the Internet.
- Network monitoring helps you keep your business healthy so it’s important to regularly assess risks and vulnerabilities of the system.
- Change default system passwords and use two-factor authentication for remote systems.
- Use a multi-layered endpoint security program with strong malware protection such as Comodo Endpoint Security Manager or Bitdefender Gravity Zone.
- Use intrusion detection software at critical points to detect abnormal behavior on the network.
- Encrypt transmission of cardholder data across open, public networks.
- Do not store sensitive authentication data.
- Maintain strict policies and educate employees on dangerous behavior when manipulating company software and hardware.
- Perform regular penetration testing of all systems and patch vulnerabilities as soon as possible.
- If possible, employ system integrity and monitoring with an application whitelisting technology to control which applications run in your network.