Malicious software targeting point-of-sale (POS) systems has always been a threat. The volume of credit card account information makes POS systems a much more productive target than personal desktop machines. Researchers have tracked these pieces of malware and noted their increasing sophistication as one piece of POS malware begat another. Now, analysis by researchers and the sheer number of compromised businesses make it clear that the POS malware industry has nearly caught up with its desktop cousins in scope and sophistication.
The real crime could be that there is no need for sophisticated social engineering or carefully crafted and injected code that takes advantage of overlooked security holes. Retailers are simply leaving the doors propped open.
Happy holidays – sort of
In recent years the holiday shopping season has been the occasion for spreading some not-so-welcome holiday cheer: new POS-attack discoveries.
In December 2011, reports surfaced that an organized gang had installed keyloggers on POS systems of small retailers, including more than 150 Subway franchises, and over a four-year period had stolen data for more than 146,000 accounts. A year later, the Dexter malware was implicated in infecting hundreds of POS terminals atretailers, hotels, restaurants and other businesses. The followingwinter, Stardust (an extensive revision of Dexter’s code) and Chewbaccaboth surfaced, adding extensive botnet capabilities. Each wasknown to have infected several dozen retailers.
All of these iterations have had a few things in common. Whilesome added keyloggers or network-sniffing capabilities to theirtheft arsenal, they have relied primarily on the same “RAM-scraping”technique: capturing the card data from system RAM, where it is heldin cleartext, just after the card swipe. In addition, the history of POSinfections is that where the point of ingress is known, attackers haveused the simplest of hacking techniques to gain access: They exploitweak credentials and use brute-force password-guessing techniques.
Backoff – the next-generation POS malware
The pattern continued with the most recently revealed piece of malwareto hit POS terminals. In July 2014 the Secret Service and Departmentof Homeland Security issued an advisory about the Backoff POSmalware. The advisory revealed that Backoff has become the mostwidely distributed family of malware uncovered to date. There havebeen at least five variants detected in the wild; it has been found onterminals manufactured by seven different POS system vendors; beeninstalled and collecting card data since as early as October 2013; and is
estimated to have infected more than a thousand U.S. businesses. Weak credentials are once again the point of entry, via remote-desktop software installed on the POS computer. While not specifically
implicating any of these packages in the attacks, the advisory lists Microsoft’s Remote Desktop, Chrome Remote Desktop, Apple Remote Desktop, Splashtop 2 and LogMeIn as examples of the types of
packages used to gain entry.
Once installed using the compromised credentials, the malicious payload takes over administrator accounts and steals credit card details. Disguised as a Java component, it watches for credit card transactions, scrapes the card-track data from memory and transmits it to the criminals’ servers using an encrypted POST request. Depending on the variant, Backoff also logs keystrokes, injects itself into explorer.exe to re-initialize the malware functionality in case it is stopped, and performs command-and-control communication for updating the malware and sending the discovered data.
Backoff has been linked to breaches at Target, Neiman Marcus, Michaels, P.F. Chang’s, UPS Stores, Sally Beauty, Supervalu, Albertsons, Home Depot and, most recently, Dairy Queen and Kmart.
Pointers for POS protection
The Secret Service advisory states at the time the Backoff malwarewas discovered and analyzed, antivirus software was unable todetect it. These heretofore unknown “zero-day” attacks were stealthyenough to run undetected for months.
Rather than relying on antivirussoftware, basic POS system protection against Backoff and itscousins boils down to three steps:
1. Use strong passwords
Much has been written on the importance of choosing a strongpassword. Yet POS malware is successfully breaching machines becausetheir passwords are so poor – either left at the default or easilyguessed. It is best to use a passphrase rather than a simple password,as a passphrase can be easy to remember yet very time-consumingto crack due to its length. Consider supplementing passwords withtwo-factor authentication (2FA) on any machines that can touchyour POS systems.
2. Limit login attempts
Make your strong password count: Limit attempts to log in to machinesto just a few. Lockout after three to five incorrect attempts isa common range. This will dramatically decrease the effectiveness ofbrute forcing attacks, as the attackers will be prevented from tryinglarge numbers of incorrect passwords until they get to the right one.
3. Limit access
Apply the principle of least privilege when choosing to enable remote-desktop protocol. POS malware is far from the first to takeadvantage of poor passwords or the power of RDP. Limit accesswherever you can. If you do not need to access the machine remotely,do not enable RDP. If you do need to enable RDP, make sure you do sosecurely.