A Call to Arms: Defending Against Point of Sale Malware

Point of Sale (PoS) malware has been alarmingly successful over the past year and is estimated to have cost businesses billions of dollars. While PoS malware does not represent any major technical evolution, it suggests that cybercrime is shifting focus from the consumer to the retailer. Rather than relying on infecting relatively small groups of users with specific vulnerabilities who may conduct e-commerce a few times per month, PoS malware is able to take advantage of standardized point-of-sale deployments in the retail sector to affect thousands of systems, each reading credit-card information hundreds or even thousands of time per day. In this paper we discuss the trends and evolution of point of sale malware. Case studies of three specific malware families are examined and recommendations are made to harden systems against similar attacks in the future. We conclude with a list of general recommendations which, if implemented, would significantly reduce both the likelihood and impact of a PoS malware attack. Introduction Computer viruses have been a growing security concern for over four decades. First instances of code that functioned as viruses were often accidents or jokes written for the fun of the author. Elk Cloner, a prank written by a 15-year-old became one of the first uncontained computer viruses 1 to be found in the wild. Some were created as proof of concept, showing what theoretically can be done by outside software. The use of viruses gradually developed to read, destroy, or even steal data. These functions have become a key part of cyber-crime, and are continually on the rise today. The malicious intent of these programs gave rise to the term malicious software, otherwise known as malware. According to Verizon’s 2014 Data Breach Investigations Report, 63,437 security incidents were reported in the year 2013, and 1,367 of those incidents resulted in a confirmed data breach . The 2014 US State of Cybercrime Survey claims that an average of 135 security incidents per organization were detected in the same year and that 77% of respondents detected a security event in the past 12 months . This rise in cyber-crime has led to both small and highly organized attacks, not to mention terrorism and cyber-warfare. Not only has the rate of cyber-crime risen in the country, but the economic cost of cyber-crime has also increased. According to McAfee, the estimated global cost of cyber-crime in 2014 will exceed $445 billion dollars. This same report states that the 2013 hack against the US retailer Target alone cost banks more than $200 million. The Target attack represents a new form of retail targeted malware designed to specifically attack the method of transaction from customer to provider, with the ability to steal debit or credit card information. These breaches, taking place at Point of Sale terminals (PoS), can cause huge damage to companies, customers, and the global economy at large. PoS malware has hit many other large retailers recently, including Home Depot, Staples, and Dairy Queen. This paper will analyze how PoS attacks are realized. Specifically, what have been the delivery mechanisms of Point of Sale malware and how they collect and exfiltrate stolen data. We show that by understanding the methods employed by malware, existing best practices can be tailored to provide a comprehensive and effective defensive strategy to minimize the risks posed by PoS malware. Methodology To understand the methods by which Point of Sale malware establish themselves and operate within retail systems, current technical literature and case studies previously conducted on this type of malware have been studied and compared. While there are many different versions of PoS malware, for the purposes of this study only those directed against high profile targets are considered. These are summarized as follows: The BlackPOS, or Kaptoxa malware, is best known for its usage in the 2013 Target breach . This was perhaps the largest profile and most significant breach to date. This malware has been used as a basis to develop more advanced strands, for example BrutPOS . Two detailed reports on this malware facilitate the study of its functions and exfiltration methods: “KAPTOXA Pointof-Sale Compromise” 4 and “PoS RAM Scraper Malware Past, Present, and Future” . Alina is a highly developed malware family that is now in its sixth version. It is highly advanced in its capabilities and exfiltration methods 5 . Several other PoS malware samples have been discovered that are built on Alina’s feature set, including Backoff and JackPOS . The principal two reports found that detail the operation of the Alina malware family are “PoS RAM Scraper Malware Past, Present, and Future” 5 and “Special Report Point-of-Sale Malware” . Dexter is a well-developed virus which contains many variants, the most popular being Dexter Revelation . As one of the older PoS malware families, there has been significant research into Dexter’s operation and development. Dexter was used in a series of attacks in South Africa, specifically targeting hotels and restaurants. “PoS RAM Scraper Malware Past, Present, and Future” 5 includes in-depth specifics on Dexter’s operations. Three additional reports demonstrate the impact Dexter has had, as well as some specifics to its character. These reports are “ASERT Threat Intelligence Brief 2014-3 Dexter and Project Hook Point of Sale Malware Activity Update Point of Sale Malware Overview PoS Malware Activity : Dexter and Project Hook” , “Visa Data Security Alert Dexter Malware Targeting Point-of-Sale (POS) Systems” , and “Dexter and Project Hook Break the Bank Inside Recent Point-of-Sale Malware Campaign Activities” . The research methodology will consist of a comparative study of the articles listed above, focusing on both malware delivery and post-infection methods used to extract data. For BlackPOS, Alina, and Dexter, this will take the approach of a literature survey based on existing research.