Retail PoS devices remain vulnerable

Trend Micro reports that it has discovered a new point-of-sale (PoS) malware which it believes has been around since 2013; it has called the new strain PwnPOS.

In a blog post,Trend Micro analyst Jay Yaneza explains that there are two components of PwnPOS: the RAM scraper binary, and  the binary responsible for data exfiltration. “While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process' memory and dumps the data to the file and the binary uses SMTP for data exfiltration.”

It can add or remove itself from the list of services on a targeted PoS machine without fully deleting, allowing it to go unseen, then start up again.

As Trend Micro noted in its earlier report, Point-of-Sale System Breaches Threats to the Retail and Hospitality Industries, many PoS terminals are built using embedded versions of Microsoft Windows, making it easy for an attacker to create and develop malware that would run on a PoS terminal, if they can access the terminal and bypass or defeat any running security solutions. “Sufficiently skilled and determined attackers can thus go after a business's PoS terminals on a large scale and compromise the credit cards of thousands of users at a time. The same network connectivity can also be leveraged to help exfiltrate any stolen information. This is not just a theoretical risk, as we have observed multiple PoS malware families in the wild.”

Sagie Dulce, security researcher at Imperva, issued a statement saying: “As we see with many breaches, they go undetected until the data is leaked or sold. In this case we have seen PwnPOS operating with other PoS malware like BlackPOS and Alina”.

“Perhaps what happened here is that several criminal groups attacked the same target. After one was caught, the “hunt” was probably over.

Regarding the malware itself, it is not regarded as sophisticated as it has no exploits: it used scripts and Auto-It (a free automation scripting tool) for data exfiltration, and it only runs on 32bit OS and only if there is no UAC feature (which is true for Windows XP - many POS endpoints still run on XP).  In addition, it exfiltrates data by sending emails (with a small twist; the target of the email does not exist so the email returns to the sender – which is the ‘real' target).

Dulce's analysis is that this malware demonstrates how it doesn't require a lot of resources to breach an organisation and steal data  - just a few scripts, along with an ‘off the shelf' scraper.

In addition, as these types of attacks become more and more mainstream it can be assumed criminal groups are targeting the same victims, so several attacks occur in the same organisation. It is also harder to catch the ‘real' perpetrator as new threats are harder to detect. Hackers may take advantage of this, and plant known malware to cover their tracks. Once the forensic team finds BlackPOS, the case is closed and the hackers can move on to the next victim, knowing that their tool was not compromised.

Mark James, security specialist at ESET, added in a statement to press: “These types of threats will change all the time. As our ability to find and remove malware grows the writers will adapt and change it so it becomes even harder to detect. Some malware needs to get more complex but sometimes it can go the other way and get a little simpler, sometimes simpler can be better, but one thing is sure, malware needs to adapt to survive.

"Considering a lot of POS machines are still running Windows XP (almost 20 percent total OS usage) it's quite a concern. Modern day UAC security features (Windows Vista+) or using a 64bit OS would cause problems and stop this threat in its tracks, but the fact that a lot of POS machines don't use these features, enables this malware to spread too easily and infect a lot more machines than should be allowed. This is another good example of the importance of using up to date secure operating systems and moving away from the older insecure systems.”

The discovery validates concerns among retailers, where 18 percent say they are not confident about the security of the configuration of their PoS devices and only 20 percent are confident, according to a study sponsored by Tripwire conducted by Atomic Research.

The problem was wider than PoS devices with 34 percent of retail executives “not confident” all the devices on their networks were authorised and a similar number “not confident” that all the devices connected to their networks were running only authorised software.