On December 19th, 2013, Target Corp announced that it fell victim to a very sophisticated cyber-attack that took place around the Thanksgiving holiday. This led to the theft of information pertaining to over 40 million credit and debit accounts used at their stores.

As many people are now aware, simply protecting your banking information on your personal computer is not enough. While attackers are still stealing information one device at a time using malware like Cryptolocker, why not simply go to a common place that everyone trusts and steal it from there? That's where PoS (Point-of-Sale) malware comes in. This is not a new process by any means, in 2007 TJX (Operator of TJ Maxx and Marshalls retail stores) announced that over 40 million credit and debit card records were exposed and stolen. The attack last December potentially affected the lives of up to 110 million Target customers.

There are many types of PoS malware on the market right now. Malware itself has become a commodity and can sell for as much as $40,000 (see carberp:http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears/ ). This means that slight variants of a sample could be in use by several unrelated attackers. Although each different sample can dramatically change functionality and obfuscation levels, the formula remains about the same:

·         Somehow get into the network

·         Infect the PoS terminals themselves

·         Read/Dump memory/databases on the PoS terminal

·         Offload the data somewhere

·         Send the data back to a remote server

Arguably the most detectable part of PoS malware is that it must somehow send data back across the network. While we focus on prevention in the first place, the flexibility of our platform allows us to take an approach of stopping the malware at this very significant stage as well.  We decided to make a list of the most popular PoS malware found in the wild as it relates to this threat, as well as our rule coverage for each sample:

BlackPOS (POSRAM) (Dump Memory Grabber) – Allegedly the malware used in the Target/Neiman Marcus attacks.

·         29420, 29421 MALWARE-CNC Win.Trojan.Reedum outbound FTP connection

Chewbacca – Malware that reads process memory, logs keystrokes and utilizes the TOR network to ship data back.

·         29440 MALWARE-CNC Win.Trojan.Chewbacca outbound communication attempt

Dexter – Locates, dumps and ships credit card track data in memory for potential cloning. Ships data back over HTTP.  Coverage was shipped for this threat in January of 2013.

·         25553 MALWARE-CNC Win.Trojan.Dexter variant outbound connection

Trackr/Alina – Similar to Dexter, locates, dumps and ships credit card track data in memory. Ships data back over HTTP.  Coverage was shipped for this threat in May of 2013.

·         26686 BLACKLIST User-Agent known malicious user agent - Alina

VSkimmer – Sold as a successor to Dexter with more functionality. Ships data back over HTTP.

·         29415 BLACKLIST DNS request for known malware domain posterminalworld.la

·         29416 MALWARE-CNC Win.Trojan.vSkimmer outbound connection

Businesses will need to be proactive in their approach to payment terminal security. As retail giants and small businesses alike take note of these attacks, they should be auditing their own network configurations while asking themselves a few questions:

  • How are my payment terminals connected to their respective databases? How are those databases secured?
  • How could my payment terminals (or anything they have connections to) access the internet?

What software am I running my payment terminals on? Are there more secure alternatives?

  • What security mechanisms are in place to detect PoS compromises?

As usual, the VRT will continue to hound the internet. We are always interested in hearing about new and interesting methods used by attackers, so feel free to drop us a line if you'd like to share what you are seeing at: askvrt@cisco.com