Researchers at Forcepoint Labs have uncovered what is thought to be the first new Point of Sale malware for two years. Named UDPoS, courtesy of how it relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of data. This is also thought to be a first for such malware.
At first glance, that's about where the 'new' stops. Using command and control servers in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia is unusual but using a brand recognition lure tactic is not. UDPoS claims to have a LogMeIn service pack in order to bait the malware execution trap.
At second glance, however, UDPoS seems to go from dumb to dumber. There's something very old-fashioned about this particular malware; mainly that it's a magnetic stripe data stealer when the world, even the US, has largely moved on to an EMV (Europay, Mastercard, Visa) chip standard. OK, in the US it's still more a chip and signature thing than chip and pin, but to target magnetic stripe data seems truly bizarre.
So, UDPoS isn't particularly advanced, it would seem, with some glaring coding errors to further dilute the danger it represents. SC Media UK understands that, like most other malware, UDPoS actively searches for AV software and virtual machines so it can shut down rather than get detected. Unfortunately, it appears to be restricted to searching for just one solitary product at the moment. The researchers say it is "unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."
The problems for UDPoS do not end there though, as most properly configured enterprise firewalls would catch and prevent DNS data exfiltration. That's assuming the enterprise had such lackadaisical patching regimes that enabled the out of band and unusual supposed service pack to be installed in the first place of course.
So, does this mean that UDPoS has the stamp of an amateur behind it, or at best a not too technically mature attacker, given that it seems to be pretty easily detected and disarmed? Luke Somerville, head of special investigations at Forcepoint, admitted to SC Media UK that UDPoS is something of a mixed bag. "It combines a number of clever ideas from earlier PoS malware families," Somerville explains, "but equally has some notable faults when inspected closely, especially in terms of its antivirus and sandbox evasion code."
And then there's the small matter of it targeting magnetic strip data from credit cards, at a time when the world and it's auntie have pretty much made the jump to EMV chipped cards. Somerville pointed out that in the US the "process is far from complete" and notes as an example how payment terminals used by Aldi in the US are capable of chip-based transactions but these have not actually been enabled as of yet.
Marco Cova, senior security researcher at Lastline, points out that actually the use of EMV-enabled transactions is still lagging in several geographies, including the US. "Depending on the reports, only about 30 to 50 percent of transactions are EMV-enabled," Cova says. So perhaps the attacker is targeting smaller merchants that are traditionally slower to adopt newer security solutions? Maybe not so dumb after all?
"This slow changeover still leaves plenty of opportunity for criminals to target mag-strip data," Somerville insisted, "especially if they do their homework and target companies or industries which have been slow to update their processes and systems."
Javvad Malik, security advocate at AlienVault, isn't so sure about the real-world risk that UDPoS poses though. "In countries where chips have been largely adopted, simply having the mag stripe data is pretty inconsequential," Malik told SC Media UK, "it wouldn't be able to be used at payment terminals or for mail or telephone order as it lacks the three digit security code printed on the back."
Of course, there is an opportunity to use data captured from mag-strips where 'swipe and signature' is the norm. However, this is a dwindling target landscape, and it seems odd for a brand new piece of malware to think it worth attacking. Indeed, SC Media UK was told that none of Forcepoint's customers appear to have been infected by the malware as of yet...