What Retailers Must Know about POS Security Breaches: Are YOU the Next Target or Neiman Marcus?
In part the reason for the security assessment lies in the recent compromises of Target and Neiman Marcus Point of Sale systems. In late 2013, Target’s intrusion exposed 40 million credit and debit cards along with 70 million customers’ personal data to malware that’s “nearly identical” to a 207kb malicious program sold on the black market called BlackPOS. This program is a specialized piece of malware designed to be installed on point-of-sale (POS) devices and record all data from credit and debit cards swiped through the infected system.
Once installed on POS devices, such malicious programs are able to capture the data on the magnetic stripe on credit and debit cards while it’s in the system memory immediately after a card has been swiped at the POS.
Sources familiar with the investigation said that the software tools that were used in the attack were specifically designed to avoid detection.
The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation said. “They basically had to keep going in and manually collecting the dumps.”
NOTE Figures Below for the Retail Industry, based on 2013 studies of data breaches by industry:
See below for the CAUSES of the breaches, especially for the retail industry….
This data is more lucrative as it allows criminals to clone cards, meaning they can be used in brick-and-mortar stores or even ATMs if the PIN is available. The value of the data is reflected in the online sale price and these prices vary widely. CVV2 data is sold for as little as $0.1 to $5 per card while Track 2 data may cost up to $100 per card.
POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods.
Since then a market has grown in the supply and sale of malware, which reads Track 2 data from the memory of the POS terminal. Most POS systems are Windows-based, making it relatively easy to create malware to run on them. This malware is known as memory-scraping malware as it looks in memory for data, which matches the pattern of the Track 2 data. Once it finds this data in memory, which occurs as soon as a card is swiped, it saves it in a file on the POS, which the attacker can later retrieve. The most well-known piece of POS malware is BlackPOS which is sold on cybercrime forums.
Armed with POS malware, the next challenge for attackers is to get the malware onto the POS terminals. POS terminals are not typically connected to the Internet but will have some connectivity to the corporate network. Attackers will therefore attempt to infiltrate the corporate network first. They may do this by exploiting weaknesses in external facing systems, such as a driveby download from a malicious Web server.
There are several types of POS malware in use, many of which use a memory scraping technique to locate specific card data. Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data. Stardust, a variant of Dexter not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic.
In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia.
As part of RSA’s investigation that uncovered this stolen payment card data, RSA observed “ChewBacca,” a relatively new, private Trojan used in this operation that features simple keylogging and memory-scraping functionality. For more information on this malware, refer to Appendix A.
APPENDIX A: A look at Point of Sale RAM scraper malware and how it works
Figure 8: ChewBacca server login page
ChewBacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server.
Figure 9: Using RegEx to scan for credit card data in memory.
RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection. The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.
The Trojan is self-contained and runs as-is. It has no dynamic configuration and is non-modular according to RSA’s investigation.
Upon running, ChewBacca installs a copy of itself in the Windows Start > Startup folder, as a file named “spoolsv.exe“, for example:
Figure 10: Dropped ChewBacca malware file.
The file name disguises the Trojan as a Windows Print Spooler service executable, and placing it in the Startup folder causes it to run automatically at Windows startup.
After installation, the keylogger creates a file called “system.log” inside the system %temp% folder, logging keyboard events and window focus changes.
Based on its current findings, RSA believes that deleting this file and rebooting will effectively remove ChewBacca from an infected system.
ChewBacca Server Side
The server side control panel allows the botmaster easy access to manage the botnet and review the compromised data. A “Reports” screen lists information about the compromised machines and the data captured from each of them. Data is presented in either parsed form or in raw text (as it was grabbed from the machine).
Before disappearing behind TOR, the controller of this botnet was observed logging into the server from an east European country.
The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months.
Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.
Sources: Verizon 2013 Studies on Data Vulnerabilities/Industries/Profiles