'Off-the-shelf' malware targets POS systems

News by Doug Drinkwater

Hackers are using "relatively unsophisticated" malware bought on the black market to target vulnerable point-of-sale (POS) systems, according to a new report.

Following on from high-profile attacks against US retailers Target, Nieman Marcus and Michaels Stores, McAfee Labs examined how many data breaches are being caused by relatively basic malware, often brought “off-the-shelf” on the black market.

“The breaches were unprecedented in numbers of records stolen, but what is even more notable is how well the malware industry served its customers,” reads the executive summary from the report. “The attackers purchased off-the-shelf point-of-sale malware, they made straightforward modifications so they could target their attacks, and it's likely that they both tested their targets' defences and evaded those defences using purchased software.

“They even had a ready and efficient black market for selling the stolen credit card information, including an anonymous, virtual-currency-based point-of-sale payment system. Raw materials, manufacturing, marketplace, transaction support—it's all there for thieves to use.” 

Researchers added that Lampeduza Republic is one of the better organised credit card black markets, with thieves often paying using anonymous virtual currencies like Bitcoin.

The report goes onto say that thieves are using ready-made POS malware tools like POSCardStealer – a Trojan which deposits card data onto external servers, Dexter, Alina, vSkimmer, ProjectHook and others to exfilitrate data.

Hackers used BlackPOS to attack Target, but researchers say that the attack was unusual because the US retailer uses a custom-built POS application, making it impossible for cyber-criminals to learn the system “offline” (something they can usually do by working on leaks of commercial POS applications).

Detailing the attack, researchers say that it was based on “several customisations” of BlackPOS. Details regarding Active Directory domain names, user accounts, and IP addresses of SMB shares were hardcoded into scripts that were dropped by some of the malware components, and the scripts were sent as plaintext files to a remote server.

“Nonetheless, we must recognise that this class of attack is far from ‘advanced'. The BlackPOS malware family is an “off-the-shelf” exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” reads the report. “BlackPOS source code has also been leaked multiple times. Just as we have seen with Zeus/Citadel, Gh0st, Poison Ivy, or many other leaked kits, anyone can employ, modify, and use them for their purposes.”

Quizzed on why hackers are opting for off-the-shelf malware, 451 Research analyst Javvad Malik said that criminals are, like legitimate businesses, looking for effective solutions at affordable prices. 

“Criminal organisations have the same basic business principles as legitimate businesses ie make as much whilst spending as little as possible,” he told SCMagazineUK.com. “Coming up with new malware isn't trivial or necessarily cheap, so it makes business sense to purchase off-the-shelf malware to carry out attacks.”

Michael Belton, head of Rapid7's assessment team, agreed and said that the rudimentary tools used in POS attacks should serve as a wake-up call to vendors running systems with unpatched software.

"The lack of sophistication in many of these attacks underscores the fact that there is much room for improvement regardless of the victim's size and available resources," he said via email. "As an adversary, access to advanced attack tools is a matter of price."

Neira Jones, independent advisor and former board of advisor member for PCI SSC, says that it is worth noting that data breaches are likely to change by location – the US, after all, is still to adopt EMV (the equivalent of chip and pin), but says that reaching PCI DDS compliance should be the minimum standard for trading organisations.

“I have always believed that PCI DSS is a good set of controls and organisations should look at it as a minimum standard that they should achieve (even if they are not involved in card payments),” she told SCMagazineUK.com via email, further noting Verizon's recent PCI Compliance Report, which found that breached organisations are often less compliant.

“An organisation will only be as strong as their 'business as usual' security practices, making sure that they cover all aspects of people, process and technology.”

Jones went onto add that “well-documented” hackers will target POS systems via terminals (such as skimmers, firmware and inserted components), RAM scraping and network sniffing, and said that mitigation efforts are “not new either”. However, she warned that e-commerce sites are increasingly at risk and are a “relatively easy target for criminals.”

The McAfee Labs report, entitled McAfee Labs Threat Report: Fourth Quarter 2013, also found that Android malware samples had grown by 197 percent year-on-year, with ransomware rising by one million new samples for the year. The anti-virus company also saw the number of digitally signed malware samples triple for 2013, and noted a 70 percent increase in the number of suspect URL addresses.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews