POS Malware Overview for the 2014 Holiday Shopping Season
December 2, 2014 • Dan Mitchell
Almost a year has passed since the infamous Target breach that took place during the 2013 holiday shopping season, resulting in the digital theft of an unprecedented 70 million consumer credit cards and dominating headlines in the weeks that followed.
In 2014, the trend continued with a long list of other major retailers, and thousands of smaller retailers alike, who discovered or were notified of breaches using similar strains of POS malware. Many instances of new malicious code introduced more sophisticated capabilities and methods while others shared code and functionality from their predecessors. The following analysis will focus on demonstrating how open source intelligence from Recorded Future can be used to gain insight and provide the “big picture” on this epidemic, concentrating specifically on the following angles:
- Timeline of high-profile retailer breach events occurring over the past 12 months
- Techniques, tactics, and procedures (TTPs) employed by the POS malware used in the breaches
- Activity tracking for some of the more prevalent malware variants seen in the wild
- Clues and insight into the attribution and origins of the POS malware
Summary of Major Breaches in 2014
Below is a timeline of some of the major POS data breaches reported since Black Friday of last year.
In 2014 we saw payment system breaches against some major retail chains including but not limited to…
- Home Depot
- Dairy Queen
- Jimmy John’s
- Michaels Stores
- P.F. Changes China Bistro
- Sally Beauty Holdings, Inc.
- Sears Holding (Kmart)
- The Neiman Marcus Group
- Yum! Brands (Pizza Hut)
… and the list goes on.
Summary of TTPs Used by Today’s POS Malware
Below is a preview of some of the new TTPs employed by “smarter,” more evasive POS malware that has emerged in the past 12 months.
Here’s the timeline summary of TTPs:
- Stealing Track 1 and Track 2 information on the magnetic strips of credit cards
- Using HTTP POST request to check for updates
- Command and control capabilities with bot masters
- Code injection for monitoring processes running in memory
- Firewall evasion techniques and HTTP drop and load tactics
- Memory scraping combined with form grabbing functions
- RDP enabled C2 communications
- Brute force password cracking on “weak” terminal passwords
- Scanning for vulnerable RDP enabled windows based payment systems
- Malicious binaries masquerading as media files
- Autorun registry entries to gain persistance
- Malicious code written in Visual Basic to evade detection
- Exfiltration of data via DNS
- Keylogging functionality
Tracking POS Malware Activity
Below is a snapshot of recent POS malware activity.
With this information, I can quickly make some observations.
- POS malware is affecting retailers on a global scale.
- Selling stolen payment data on card sites has become a lucrative business for cyber criminals.
- Botnets have become an integral part of the malicious infrastructure and share code with other well-known malicious campaigns such as Zeus and Citadel.
- Some POS malware appears to target specific retail segments, like food and beverage.
- There is likely a larger population of retailers who have been breached without publicly disclosing, and this activity is ongoing and will continue for the foreseeable future.
Below is a timeline of attribution clues as reported by public web data.
Here’s the timeline overview of attribution information:
- Dexter has been lurking around since circa 2012, many of the newer variants borrow code and functionality.
- Dexter had a large presence in the Middle East and later made its way to the west, indicating a likelihood it may have been authored by a foreign entity.
- BlackPOS was attributed to 17-year-old Russian kid who uses the handle “Ree4.”
- Ree4 has allegedly sold 40 builds of BlackPOS code kits to cybercriminals who are are finding a lucrative business selling stolen data on “card shops” like Rescator, Trak2.name, Privateservices.biz and many more are yet to be uncovered.
- The Decebal malware has been linked to coders in Romania.
- Decebal, VSkimmer and JackPOS have allegedly been used by a criminal known as “Rome0,” likely a Romanian cyber criminal or gang of organized cyber criminals.
- FrameworkPOS contained strings and hidden anti-US military messages indicating a possible sponsorship from a nation-state funded threat actor or hacktivist group with different motives.
Current analysis on POS malware has been a mounting challenge for information security professionals and researchers throughout the global community. Each successive breach and new malware strain seems to be closely related or at least bears resemblance to its predecessor.
A large portion of analysis has been riddled with misattribution and convolution for two reasons. First, many of the important technical details and indicators remain barricaded behind the red tape of law enforcement investigations, so actual samples of malicious code have been sparse until very recently. Secondly, the malware variants being discovered have functional symmetry and structure but are being used by a wide and diverse set of threat actors; some acting alone, others in highly organized fashion and others with clear political and possibly even militant agendas.
One thing is certain, we are dealing with an increasingly sophisticated and well orchestrated set of adversaries on multiple fronts. This also applies to the broader cyber threat landscape. One has to wonder if there’s a state-sponsored adversary at play here; intent on disrupting the US economy by dismantling consumer confidence and trust. Retailers will have to be vigilant about protecting their consumers credit card and other personal data by investing in new payment card technology and manufacturers will need to innovate systems that are less prone to exploitation.
It will take some time for the consumer to regain trust in the wake of these breaches. Some retailers have already begun to transition, or have publicly stated their plans to upgrade, to the newer and more secure EMV payment systems, also known as chip and PIN. This technology has already been widely adopted throughout Europe and while it may help mitigate some of the risk of today’s credit card theft at the terminal, it will by no means be a silver bullet.
Retailers will need to couple the adoption of new payment technology with sound security practices, including the acceptance of a more advanced capability to monitor threats and suspicious activity both on the inside and outside world as it pertains to their network traffic.
What are some steps I can take to protect myself as a consumer?
- Understand that deciding to do all your shopping online will not make you immune to credit card theft.
- Keep all of your receipts for no less than a year. Your receipts effectively become a timestamp you can use to cross reference against future retailer public breach disclosures.
- Consider doing business with companies that have already publicly disclosed being breached. Sounds crazy, I know, but consider the possibility they are likely more aware of the threat landscape and are actively engaged in deploying enhanced detection capabilities and refining their mitigation strategies to avoid further public scrutiny. In the end, use your best judgement.
- See what alerting options your bank provides for suspicious transactional activity.
- Don’t be afraid to inquire within. Ask your local retailer what they can share about their mitigation strategy as it pertains to protecting you the consumer from POS malware.
What are some steps I can take to mitigate a breach as a retailer?
- Enforce a strict and comprehensive encryption policy on all your transactions.
- Define B2B encryption end-points for your data transaction infrastructure. Know where your encrypted data should go and where it should come from.
- Standardize your encryption algorithms.
- Monitor for deviations from your encryption policy.
- If encrypted traffic is going somewhere outside of your defined policy, you should have an alert setup on a monitoring device to inform you.
- If you see an encryption algorithm in use on your network other than what you have standardized on, you should have an alert setup to inform you.
- Do a manual inspection of your POS terminals at the beginning and end of each shift.
- Look for USB sticks and suspicious panels or devices attached to your payment terminals. There is an active market for stealthily looking card skimmers and they can be tricky to spot in plain sight.
- Enforce strong password policies across your entire corporate network, especially on your payment terminals. Consider using multi-factor authentication if you haven’t already deployed it
- Consider deploying custom detection content that detects anomalies in HTTP headers along with suspicious looking POST and GET requests, attackers will often communicate in the clear while evading traditional detection.
- Make sure your systems are patched and up-to-date. Consider routine vulnerability scanning and red-team testing.
See how Recorded Future can empower you to stay one step ahead of the adversary. Get started by requesting a demo of Recorded Future’s real-time threat intelligence platform.