- September 21, 2016
- Info notes
A Point Of Sale (PoS), is an electronic device used to process card payments at retail locations and is the point where the transaction between the customer and seller is completed. Recently, media drew attention to PoS attacks, which targeted systems from several sectors. Data breaches affecting card payment and customer information were disclosed, affecting hotel chains, or clothes retailers just to point a few.
In early August 2016, that their point-of-sale subsidiary MICROS was affected by a breach that may have involved the theft of credentials for remote access of point-of-sale devices. These credentials could allow attackers to plant malware on such devices. In relation with this breach, VISA issued a security alert, recommending users of MICRO's POS devices to double check the machines for malicious software, unusual network behaviour, and to change passwords.
This note aims to give some background information on PoS attacks, outline the anatomy of a PoS attack, provide an overview of PoS attacks' evolution throughout the years, as well as recommendations for preventing them.
A not-so-new attack vector
Personal financial data theft such as credit and debit card details is one of the earliest and most profitable forms of cybercrime. Attacks to POS terminals first appeared back in 2005, when attackers began using networking-sniffing malware to intercept payment card data while in transit. Since then, this threat has been slowly germinating, and the attackers honing their techniques by developing more capacities and resources, paving their way to perform bigger data breaches by organizing sophisticated operations in order to capture financial data before selling it in underground marketplaces.
Skimming, the act of obtaining credit card data information without the knowledge of the original holder, is one of the most known methods of financial fraud/theft. However, it has some disadvantages: it requires physical access to the POS, expensive additional equipment (most of the times, not recoverable), and it is difficult for criminals to perform large-scale deployments with this method.
To surpass these drawbacks, criminals have turned to target retailers' infrastructure and, ultimately, try to compromise where the transaction is handled: The Point of Sale (POS). By targeting major retailers, criminals can potentially accrue data for millions of cards in a single campaign.
Anatomy of an attack to POS system
The anatomy of an attack may vary depending on the maturity and the defences of the organization. In a mature scenario, attacks targeting POS systems are typically multi-staged and may cover all the phases of the cyber kill-chain (reconnaissance, weaponisation, delivery, exploitation, installation, command and control and action on objectives). Moreover most of the existing POS systems are usually based on a general purpose operating system (OS), making them more susceptible to a large variety of attacks scenarios and facilitating cybercriminals to develop tools, malware or exploits that can potentially affect a large amount of victims.
There are different methods an attacker can use to gain access to a network hosting POS systems, examples of these are: looking for weaknesses in external-facing systems, e.g. using an SQL injection on a web server, or sending spear-phishing e-mails to an organization.
In the case of successfully being able to access an organization's internal network, the next step for potential attackers would be to perform lateral movement within it, e.g. get access to other systems, capture administrator credentials and propagate themselves until they find the way of compromising the POS systems.
In some cases, attackers search and scan for direct attacks to POS systems which are exposed to the Internet. A common practice for POS vendors, in order to be able to update and configure POS machines remotely is to install remote administration applications like Microsoft Remote Desktop, VNC or LogMeIn. In many cases, these services are not well configured, limited, or filtered, which allows attackers to attack the services directly, for example by brute-force attacks or by exploiting a vulnerability.
Finally, once the POS system has been compromised, the attacker will install additional tools, including specially crafted malware for POS that collect unencrypted credit card data, traveling within the internal network or stored in the RAM of the device. Once collected, the exfiltration of the data is performed, by sending the data to a system controlled by the attacker.
Evolution of PoS-specific attacks and malware
As payments processors and retailers tightened up their security, attackers adapted, turned their attention to the point-of-sale terminal and began creating specific malware for PoS devices in order to be able to target a large amount of victims and automate the process of collecting information and exfiltrate sensitive data.
POS malware was first discovered in October 2008. During a fraud investigation, it was found that attackers had been installing debugging software on POS systems that was capable of extracting full magnetic stripe data from its memory. This was the earliest indication of custom malware being written specifically targeting them.
During this early period of 2008, custom malware was not very common, however some malware families emerged during this time, such as RawPOS, one of the first known memory scrapers used in PoS attacks. The malware families created during this period shared many commonalities, like limitations in the form of data exfiltration.
During the period 2009-2010, as security measures and controls were improved, file scrappers and network sniffers became extinct. On the other hand, the use of memory scrappers and keyloggers increased. The most noticeable malware families that appeared during this period (namely rdasrv, mmon, and sr/searcher) are all memory scrapers that have often been incorporated into other malware families in later years. However, like in the past years, this malware was still very specific in its approach, providing no automatic exfiltration or control capabilities.
During 2011-2012 the first instance of FrameworkPOS was discovered, one of the most advanced malware families seen to date. It provides some new interesting functionalities like automatic exfiltration or obfuscation of the data stored in the device. By the end of 2012 the Dexter and Alina malware families were also released and provided not only automatic exfiltration capabilities, but a command and control (C2) component as well. This allowed attackers to deploy their malware to multiple locations and control the victims from a single administration panel. The C2 characteristics included in Alina and Dexter created an important precedent and a great number of families included this functionality during 2013-2014 period such as vSkimmer, JackPOS and Backoff.
In 2013, the source code of the Alina malware family was sold and later leaked on an underground forum. This caused a number of authors to reuse and modify its code. It also promoted the emergence of new malware families such Spark, Eagle, getmypass, and the implementation of POS modules on different botnets (Andromeda) or in other malware (Phase).
This trend of adding PoS memory scraping modules to existing botnets continued into 2015 and 2016. Other than the continued emergence of botnets implementing PoS features, 2015 has had minimal new PoS malware families emerging. It is likely that there simply hasn't been a need or demand for new malware families, as a number of the more established malware families are continually updated and are successful in their outcomes.
Incident response and breach notification readiness. Due to the sensitiveness of this kind of data, breaches associated to PoS attacks can have a significant financial impact, it is essential for affected organizations to be prepared to react quickly and notify affected customers and authorities in order to take appropriate actions.
Follow the compliance and best practices. Companies that handle payment systems are required to comply with standards, such as PCI-DSS, which provide a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Implement end-to-end encryption. By adding end-to-end encryption to the payment process, organizations increase the security of POS devices and also protect against other kind of fraud and threats.
Evaluate and adopt new technologies. New payment card technologies, like EMV (which creates a unique transaction code that cannot be used again), have been promoted as effective countermeasures for PoS malware. Companies at first and then consumers must learn about, evaluate and adopt new and safer payment processes. However, it's necessary to mention that the aforementioned new technology will not prevent data breaches from occurring, but it will make it much harder for criminals to successfully profit from what they steal.
Proper network segmentation and limitation of internet access. It will allow to mitigate the scope of certain attacks and minimise the level of access to sensitive information for those applications, servers, and people who don't need it, while enabling access for those that do. Network architects and administrators must follow this approach and, in case POS systems need Internet access, make sure they are firewalled and restricted to connecting to trusted addresses only.
Employees Education. Educated end users are a valuable defence in the fight against different threats, even the best technology can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting the company's resources. Proper training will help employees to detect and deter different attacks like social engineering or spear phishing.
Proper remote access control. If remote access to a PoS device is needed, for example Microsoft Remote Desktop, a different policy for access control needs to be implemented by system administrators, which may include password policy, network controls and software updating.
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims to give interested readers some background information and recommendations about NIS related topics. The background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more about the "Info Notes" series (firstname.lastname@example.org).