Month: October 2015

Posted on

Understanding and Preventing Point of Sale Attacks

In recent years, there have been a number of high-profile stories involving the compromise of point of sale (PoS) devices. My research often involves deep reverse engineering and analysis of various malware families targeting PoS devices. As such, I’m often asked about the overall threats that these machines face. In this article I hope to provide a high-level view of the threat landscape currently affecting PoS devices.

Background

The term PoS refers to a machine used by businesses to conduct a retail transaction. If you have ever used a debit or credit card to make a purchase, you’ve likely seen these machines. They often run customized hardware and software, however, the underlying operating system (OS) is more commonly some version of Microsoft Windows, often Windows XP or Windows 7. This trend has shifted slightly in recent years with the popularity of mobile PoS devices, most of which run either Android or iOS. While these are becoming more common in smaller businesses, Windows-based PoS machines still make up the majority, and by association are the devices most heavily targeted by attackers.

Figure 1. Example PoS machine

Infiltration

While PoS devices can be attacked in many ways, the method of infiltration typically falls into one of the following three categories, listed by least sophisticated to most sophisticated:

  1. Spam emails / Exploit kits
  2. Scanning the Internet for default or common credentials
  3. Compromising trusted third parties

Spam Emails / Exploit Kits

These types of attacks are widespread and are often leveraged by attackers who are looking to infect as many machines as possible. Botnet owners are often seen leveraging these attacks to add further devices to their botnets.

Unfortunately, a number of organizations that own PoS machines use them as they would a personal computer. They browse the web, check email, and conduct day-to-day operations from the same machine that is conducting financial transactions. Attackers discovered that while infecting a large number of machines on the Internet, they were also infecting a small number of PoS devices as well. One such example of how PoS devices can be misused was demonstrated on Reddit, where a user discovers that he/she can access the site on their PoS. While accessing this site alone does not pose any significant security issues, it demonstrates how PoS devices can be misconfigured to allow users to access websites and Internet-based resources that should be blocked. Because of the lack of security controls on these devices, spam emails and exploit kits are able to infect these machines and subsequently steal financial data from them.

Internet Scanning for Default or Common Credentials

While more common in past years, this particular type of threat still represents a portion of attacks against PoS machines. Many PoS vendors configure their devices with remote administration services, such as Microsoft Remote Desktop, VNC, pcAnywhere, or LogMeIn. These services allow vendors to update and configure PoS machines remotely. As PoS machines may be located in geographically diverse regions, this is commonly built-in as a necessity.

Unfortunately, these services are often are configured to communicate and be accessible directly from the Internet, which allows both administrators and attackers alike to connect and attempt authentication. Additionally, these remote management services are frequently configured with default usernames and passwords. Knowing these combinations of usernames and passwords, attackers will continually scan the Internet in the hopes of identifying systems that can be accessed in such a way. A number of free utilities are available online that are designed for such tasks, making it trivial for individuals online to identify and subsequently compromise misconfigured PoS machines described.

At a recent RSA conference, researchers unveiled that a major PoS vendor had included a default username and password for all of their products for roughly 25 years. Misconfigurations such as these by both vendors and those configuring PoS machines allow attackers to obtain unauthorized access.

Figure 2. Example Remote Desktop brute force login tool

Compromising Trusted Third Parties

In one of the most sophisticated techniques seen to date, attackers have begun targeting trusted third party organizations in order to gain access to PoS machines.  This trend has been seen in recent years, with the Target breach being the most well known example. In that particular instance, an intrusion at the organization’s HVAC contractor was used to gain access to Target’s PoS machines.

Additional third party organizations, such as point of sale integrators, have been increasingly targeted in the past two years. PoS integrators are organizations responsible for the installation and maintenance of PoS machines for their clients. These organizations are often the victim of targeted attacks where spear-phishing emails and other ploys are used to compromise their networks. Once compromised, the attackers use stolen credentials, as well as the trust of the integrators networks to pivot and compromise PoS machines on their client’s networks. This tactic has been deployed heavily by the attackers behind the Backoff PoS malware family, impacting over one thousand US-based companies in 2014.

Malware Types

PoS malware is described in four categories:

  • Network Sniffer
  • File Scraper
  • Keylogger
  • Memory Scraper

Due to improvements in both PCI regulations as well as general security surrounding PoS machines, network sniffers and file scrapers are rarely, if ever, seen today. Not only did network sniffers provide track data sent across the network unencrypted, but they also had the ability to extract other sensitive information, such as credentials sent across the network. Such information could be used by attackers to gain access to other systems on the network. Alternatively, file scrapers had similar abilities, where both card data and other sensitive data on the victim machine could be identified and subsequently used by attackers. From 2007 to 2009, especially, these types of malware families were prevalent.

Since then, keyloggers and memory scraping malware families have become commonplace in PoS breaches. Keyloggers can work in a number of ways, however, one of the most common ways is to create a message-only window via a call to CreateWindow. The malware will then register a new input device via a call to RegisterRawInputDevices, which is in turn used to capture keyboard input data. Additionally, keyloggers will often also capture screenshots of the desktop to provide the attacker with more information about the victim machine.

Figure 3. Example of malware implementing keylogging functionality

Memory scrapers typically work in a small number of ways. They will begin by obtaining a handle to a process that the malware wishes to target. These processes are typically discovered via calls to either CreateToolhelp32Snapshot or EnumProcesses. At this particular stage, memory scrapers will often employ either a blacklist approach, where common process names are ignored, or a whitelist approach, where only a small subset of known process names are targeted. As an example, the svchost.exe process might be ignored, while the frmweb.exe process might be targeted.

Once a process is identified and a handle is obtained, memory scrapers will iterate through pages of memory using the VirtualQuery function. Further checks are often performed during this particular stage. Namely, a good memory scraper that is targeting track data will typically only look at pages that are set with read/write permissions and has a state of MEM_COMMIT. This allows the malware to ignore free or reserved memory, or memory that contains code, which in turn will improve performance.

After a page of memory is identified, the malware will actually read it via a call to ReadProcessMemory. After the memory has been read into a buffer, it will commonly apply a regular expression against this data, or feed the buffer to a function that is responsible for identifying track1 and track2 data. An example of some regular expressions witnessed in the wild can be seen below:

  • \d{15,19}=\d{13,}
  • \?
  • ((B(([0-9]{13,16})|([0-9]|\\s){13,25})\\^[A-Z\\s0-9]{0,30}\\/[A-Z\\s0-9]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\\s){3,50})|(((37)|([4-5][0-9])|(60))[0-9]{13,14}(D|=)(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}))
  • ((b|B)(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Za-z\s0-9]{0,30}\/[A-Za-z\s0-9]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})
  • ([0-9]{15,16}(D|=)(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})

As we can see, the regular expressions used by memory scraper authors vary in complexity and effectiveness. For instance, the initial regular expression listed above is used to identify the primary account number (PAN) for a given user. Alternatively, the second regular expression simply looks for the character ‘?’, which will match on any number of strings. Thus, the ability to gather accurate results will vary based on what particular regular expressions an author chooses.

In addition to some of the other checks performed, a luhn check may be performed in order to validate the data that is identified.

After track data has been identified, it may be written to a dump file, or automatically exfiltrated using a network protocol. HTTP, HTTPS, SMTP, and FTP are the most common protocols witnessed.

Malware Trends

Over the past decade, malware targeting PoS devices has evolved and changed considerably. The following diagram outlines the malware families witnessed during this time.

Figure 4. Timeline of PoS malware families

2007-2008

While attacks against PoS devices took place before 2007, this was the earliest indication of custom malware being written specifically targeting them. During this early period of 2007-2008, custom malware was fairly rare. Many security protections were simply not implemented during this time. PoS devices often didn’t encrypt network traffic, and stored card data was kept on the filesystem, commonly unencrypted. Because many of these lacked security controls, attackers would simply employ tools that were used by security professionals on a daily basis, such as wireshark, tcpdump, find, and grep to name a few. Additionally, the use of file scrapers and network sniffers were very common.

There are some reported incidents where an attacker gained access to a PoS system only to discover a text file on the desktop with years’ worth of transaction records. In such cases, malware is often unnecessary, as the attacker can simply download the file in question and return periodically for any updates.

However, some malware families emerged during this time, such as the infamous RawPOSmalware family. While this particular family gained much notoriety in 2014, it was actually one of the first known memory scrapers used in PoS attacks. The malware families created during this period varied in their techniques but shared many commonalities. For example, these malware families often provided minimal automation in the form of data exfiltration. They would instead write results to a dump file on the victim device’s file system.

It’s also important to note that the media does not often mention attacks hitting PoS devices during this period, and aren’t well known to the public.

2009-2010

Toward the end of the decade, the emergence of memory scrapers and keyloggers continued. As security controls improved, we saw very few instances of file scrapers or network sniffers. During this period, we also saw the appearance of some malware families that were witnessed for many years afterwards — namely, the rdasrv, mmon, and sr/searcher malware families. These families are all memory scrapers that are often incorporated into other malware families in later years. Like the 2007-2008 period, this malware was very specific in its approach, providing no automatic exfiltration or control capabilities. The approach of attacking PoS devices was still considered a very manual endeavor in 2009-2010, as attackers needed to identify processes handling card data, and then target said processes using the malware at their disposal.

2011-2012

The 2011-2012 period for PoS attacks brought several interesting developments. The use of CardRecon, a commercial PCI compliance tool, was discovered in a number of breaches. Attackers used an illegally obtained copy of this program in order to identify card data being stored on the PoS file system. We also saw the first instance of FrameworkPOS, which is one of the more advanced malware families seen to date. FrameworkPOS not only provided automatic exfiltration, but it also heavily obfuscated data stored within the registry, and was highly targeted towards the victim. The group behind this particular malware family would be continually seen in the following years, often compromising very large organizations.

Generally, the use of automatic exfiltration continued to become more common among malware families in 2011-2012. During this time, the use of SMTP and FTP were frequently observed. However, by using these network protocols, the malware authors were forced to include authentication credentials within the malware itself. This of course causes a problem, as a malware analyst has the ability to extract this data from the binaries. In subsequent years, malware authors corrected these mistakes and shift towards other network protocols, such as HTTP and HTTPS.

Toward the end of 2012, we saw some very interesting developments within the PoS malware community. Namely, the release of the Dexter and Alina malware families that caused quite a stir due to their more advanced features. Both Dexter and Alina emerged around the same time, and provided not only automatic exfiltration capabilities, but a command and control (C2) component as well. This allowed attackers to deploy their malware to multiple locations and control the victims from a single C2 administration panel. This had not been witnessed previously, and added an automation to PoS attacks that was not seen prior.

During this period, we also started to see increased media attention on the topic of PoS breaches and malware families. A number of high-profile breaches gained the attention of both the general public and malware authors alike.

2013-2014

The emergence of Dexter and Alina caused quite a stir in the PoS malware community, and many authors took notice. As such, a number of malware families were written with C2 characteristics in 2013-2014, such as vSkimmer, JackPOS and Backoff.

In mid-2013, the source code to the Alina malware family was sold in underground forums for $2,000. This code eventually leaked in the criminal underground shortly afterwards. Roughly two weeks after the announcement of Alina’s source code sale, in an unrelated incident, the source code to the first major variant of Dexter was leaked on the popular underground forum Darkode. The sale/leak of such prominent PoS malware families caused a number of authors to reuse and modify this code. Because of this, a number of new families were subsequently created and used, such as Spark, Eagle, and getmypass. This trend continues to this day.

The high prevalence of malware families using command and control allowed malware authors to essentially create botnets out of infected PoS devices. As such, it wasn’t long before botnet malware authors took notice. Botnets, such as Andromeda, have been used often to distribute PoS malware families, such as Alina and JackPOS. However, other botnet authors began to implement PoS modules directly in their malware, such as Phase.

2015

This trend of adding PoS memory scraping modules to existing botnets continued into 2015. One such example is the Neutrino bot, which features denial of service commands, anti-reversing characteristics, keylogging functionality, and a command shell.

Other than the continued emergence of botnets implementing PoS features, 2015 has had minimal new PoS malware families emerge. It is likely that there simply hasn’t been a need or demand for new malware families, as a number of the more established malware families are continually updated and are successful in their endeavors.

Aftermath

After an attacker has successfully acquired card data from a targeted merchant, they will most likely sell that data on an underground forum. There are many underground forums available today, specializing in both various services and geographic areas.

Many of the larger carders provide shops to sell their dumps, often with clean user interfaces and granular search options. Customer service and ease of use are very important to the owners of these shops, as a shop’s reputation will often be the deciding factor for an interested buyer.

After a number of cards are purchased, carders will clone physical cards with the data they’ve obtained or purchased. Individuals in the same underground forums will often provide services to create plastic cards. Some examples of these cards can be seen below. As we can see, they look quite convincing to an untrained eye.

These cards can then be used to make purchases by carders. In the event a debit card with a PIN has been obtained, cloned cards can be used to withdraw money at various automated teller machines (ATMs). Carders will often purchase high-end items with the intent of reselling them online. In doing so, they are able to essentially use credit cards to obtain actual cash.

Conclusion

Attacks targeting PoS devices have been occurring for many years, and show no sign up stopping in the near future. The universal rollout of “chip and pin” will likely deter traditional attacks facing PoS devices. This has been witnessed in Europe, where EMV technology has been widely adopted for a number of years. In such situations, the attackers typically change tactics. Instead of targeting PoS devices, attackers target e-commerce websites instead, dumping databases from these webservers and acquiring card data.

In general, intrusion techniques targeting PoS devices are often no different from techniques targeting other Internet or network-connected machines. The main difference lies in the payload, which these days are typically a keylogger, or much more commonly, a memory scraper. These payloads, or malware families, have evolved over time to become heavily automated. Such automation allows attackers to infect hundreds or thousands of machines at a time, and make changes at the click of a button.

Proper PoS Security

Those charged with the task of securing PoS devices should take necessary precautions in order to help prevent the theft of card data. Such precautions include, but are not limited to:

  • Ensure PoS devices are not directly connected to the Internet. If required, proper controls should be enabled to only allow connections to specific hosts over specified network protocols.
  • Web browsing should be disabled completely on PoS devices if possibly. If not possible, controls should be enabled that restrict browsing to specific websites.
  • Prevent unauthorized users from installing or running executables on PoS devices using process whitelisting.
  • Install security software, such as antivirus, on PoS devices.
  • Update all necessary operating system patches.
  • Implement network segmentation between PoS devices and other corporate infrastructure.
  • Ensure any remote access applications, such as RDP, VNC, LogMeIn, etc. are configured with unique usernames and passwords, are fully up to date on patches, and are configured with 2-factor authentication if possible.
  • Properly log host and network-based events.

[Palo Alto Networks Blog]

Posted on

Understanding and Preventing Point of Sale Attacks

In recent years, there have been a number of high-profile stories involving the compromise of point of sale (PoS) devices. My research often involves deep reverse engineering and analysis of various malware families targeting PoS devices. As such, I’m often asked about the overall threats that these machines face. In this article I hope to provide a high-level view of the threat landscape currently affecting PoS devices.

Background

The term PoS refers to a machine used by businesses to conduct a retail transaction. If you have ever used a debit or credit card to make a purchase, you’ve likely seen these machines. They often run customized hardware and software, however, the underlying operating system (OS) is more commonly some version of Microsoft Windows, often Windows XP or Windows 7. This trend has shifted slightly in recent years with the popularity of mobile PoS devices, most of which run either Android or iOS. While these are becoming more common in smaller businesses, Windows-based PoS machines still make up the majority, and by association are the devices most heavily targeted by attackers.

Figure 1. Example PoS machine

Infiltration

While PoS devices can be attacked in many ways, the method of infiltration typically falls into one of the following three categories, listed by least sophisticated to most sophisticated:

  1. Spam emails / Exploit kits
  2. Scanning the Internet for default or common credentials
  3. Compromising trusted third parties

Spam Emails / Exploit Kits

These types of attacks are widespread and are often leveraged by attackers who are looking to infect as many machines as possible. Botnet owners are often seen leveraging these attacks to add further devices to their botnets.

Unfortunately, a number of organizations that own PoS machines use them as they would a personal computer. They browse the web, check email, and conduct day-to-day operations from the same machine that is conducting financial transactions. Attackers discovered that while infecting a large number of machines on the Internet, they were also infecting a small number of PoS devices as well. One such example of how PoS devices can be misused was demonstrated on Reddit, where a user discovers that he/she can access the site on their PoS. While accessing this site alone does not pose any significant security issues, it demonstrates how PoS devices can be misconfigured to allow users to access websites and Internet-based resources that should be blocked. Because of the lack of security controls on these devices, spam emails and exploit kits are able to infect these machines and subsequently steal financial data from them.

Internet Scanning for Default or Common Credentials

While more common in past years, this particular type of threat still represents a portion of attacks against PoS machines. Many PoS vendors configure their devices with remote administration services, such as Microsoft Remote Desktop, VNC, pcAnywhere, or LogMeIn. These services allow vendors to update and configure PoS machines remotely. As PoS machines may be located in geographically diverse regions, this is commonly built-in as a necessity.

Unfortunately, these services are often are configured to communicate and be accessible directly from the Internet, which allows both administrators and attackers alike to connect and attempt authentication. Additionally, these remote management services are frequently configured with default usernames and passwords. Knowing these combinations of usernames and passwords, attackers will continually scan the Internet in the hopes of identifying systems that can be accessed in such a way. A number of free utilities are available online that are designed for such tasks, making it trivial for individuals online to identify and subsequently compromise misconfigured PoS machines described.

At a recent RSA conference, researchers unveiled that a major PoS vendor had included a default username and password for all of their products for roughly 25 years. Misconfigurations such as these by both vendors and those configuring PoS machines allow attackers to obtain unauthorized access.

Figure 2. Example Remote Desktop brute force login tool

Compromising Trusted Third Parties

In one of the most sophisticated techniques seen to date, attackers have begun targeting trusted third party organizations in order to gain access to PoS machines.  This trend has been seen in recent years, with the Target breach being the most well known example. In that particular instance, an intrusion at the organization’s HVAC contractor was used to gain access to Target’s PoS machines.

Additional third party organizations, such as point of sale integrators, have been increasingly targeted in the past two years. PoS integrators are organizations responsible for the installation and maintenance of PoS machines for their clients. These organizations are often the victim of targeted attacks where spear-phishing emails and other ploys are used to compromise their networks. Once compromised, the attackers use stolen credentials, as well as the trust of the integrators networks to pivot and compromise PoS machines on their client’s networks. This tactic has been deployed heavily by the attackers behind the Backoff PoS malware family, impacting over one thousand US-based companies in 2014.

Malware Types

PoS malware is described in four categories:

  • Network Sniffer
  • File Scraper
  • Keylogger
  • Memory Scraper

Due to improvements in both PCI regulations as well as general security surrounding PoS machines, network sniffers and file scrapers are rarely, if ever, seen today. Not only did network sniffers provide track data sent across the network unencrypted, but they also had the ability to extract other sensitive information, such as credentials sent across the network. Such information could be used by attackers to gain access to other systems on the network. Alternatively, file scrapers had similar abilities, where both card data and other sensitive data on the victim machine could be identified and subsequently used by attackers. From 2007 to 2009, especially, these types of malware families were prevalent.

Since then, keyloggers and memory scraping malware families have become commonplace in PoS breaches. Keyloggers can work in a number of ways, however, one of the most common ways is to create a message-only window via a call to CreateWindow. The malware will then register a new input device via a call to RegisterRawInputDevices, which is in turn used to capture keyboard input data. Additionally, keyloggers will often also capture screenshots of the desktop to provide the attacker with more information about the victim machine.

Figure 3. Example of malware implementing keylogging functionality

Memory scrapers typically work in a small number of ways. They will begin by obtaining a handle to a process that the malware wishes to target. These processes are typically discovered via calls to either CreateToolhelp32Snapshot or EnumProcesses. At this particular stage, memory scrapers will often employ either a blacklist approach, where common process names are ignored, or a whitelist approach, where only a small subset of known process names are targeted. As an example, the svchost.exe process might be ignored, while the frmweb.exe process might be targeted.

Once a process is identified and a handle is obtained, memory scrapers will iterate through pages of memory using the VirtualQuery function. Further checks are often performed during this particular stage. Namely, a good memory scraper that is targeting track data will typically only look at pages that are set with read/write permissions and has a state of MEM_COMMIT. This allows the malware to ignore free or reserved memory, or memory that contains code, which in turn will improve performance.

After a page of memory is identified, the malware will actually read it via a call to ReadProcessMemory. After the memory has been read into a buffer, it will commonly apply a regular expression against this data, or feed the buffer to a function that is responsible for identifying track1 and track2 data. An example of some regular expressions witnessed in the wild can be seen below:

  • \d{15,19}=\d{13,}
  • \?
  • ((B(([0-9]{13,16})|([0-9]|\\s){13,25})\\^[A-Z\\s0-9]{0,30}\\/[A-Z\\s0-9]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\\s){3,50})|(((37)|([4-5][0-9])|(60))[0-9]{13,14}(D|=)(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}))
  • ((b|B)(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Za-z\s0-9]{0,30}\/[A-Za-z\s0-9]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})
  • ([0-9]{15,16}(D|=)(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})

As we can see, the regular expressions used by memory scraper authors vary in complexity and effectiveness. For instance, the initial regular expression listed above is used to identify the primary account number (PAN) for a given user. Alternatively, the second regular expression simply looks for the character ‘?’, which will match on any number of strings. Thus, the ability to gather accurate results will vary based on what particular regular expressions an author chooses.

In addition to some of the other checks performed, a luhn check may be performed in order to validate the data that is identified.

After track data has been identified, it may be written to a dump file, or automatically exfiltrated using a network protocol. HTTP, HTTPS, SMTP, and FTP are the most common protocols witnessed.

Malware Trends

Over the past decade, malware targeting PoS devices has evolved and changed considerably. The following diagram outlines the malware families witnessed during this time.

Figure 4. Timeline of PoS malware families

2007-2008

While attacks against PoS devices took place before 2007, this was the earliest indication of custom malware being written specifically targeting them. During this early period of 2007-2008, custom malware was fairly rare. Many security protections were simply not implemented during this time. PoS devices often didn’t encrypt network traffic, and stored card data was kept on the filesystem, commonly unencrypted. Because many of these lacked security controls, attackers would simply employ tools that were used by security professionals on a daily basis, such as wireshark, tcpdump, find, and grep to name a few. Additionally, the use of file scrapers and network sniffers were very common.

There are some reported incidents where an attacker gained access to a PoS system only to discover a text file on the desktop with years’ worth of transaction records. In such cases, malware is often unnecessary, as the attacker can simply download the file in question and return periodically for any updates.

However, some malware families emerged during this time, such as the infamous RawPOSmalware family. While this particular family gained much notoriety in 2014, it was actually one of the first known memory scrapers used in PoS attacks. The malware families created during this period varied in their techniques but shared many commonalities. For example, these malware families often provided minimal automation in the form of data exfiltration. They would instead write results to a dump file on the victim device’s file system.

It’s also important to note that the media does not often mention attacks hitting PoS devices during this period, and aren’t well known to the public.

2009-2010

Toward the end of the decade, the emergence of memory scrapers and keyloggers continued. As security controls improved, we saw very few instances of file scrapers or network sniffers. During this period, we also saw the appearance of some malware families that were witnessed for many years afterwards — namely, the rdasrv, mmon, and sr/searcher malware families. These families are all memory scrapers that are often incorporated into other malware families in later years. Like the 2007-2008 period, this malware was very specific in its approach, providing no automatic exfiltration or control capabilities. The approach of attacking PoS devices was still considered a very manual endeavor in 2009-2010, as attackers needed to identify processes handling card data, and then target said processes using the malware at their disposal.

2011-2012

The 2011-2012 period for PoS attacks brought several interesting developments. The use of CardRecon, a commercial PCI compliance tool, was discovered in a number of breaches. Attackers used an illegally obtained copy of this program in order to identify card data being stored on the PoS file system. We also saw the first instance of FrameworkPOS, which is one of the more advanced malware families seen to date. FrameworkPOS not only provided automatic exfiltration, but it also heavily obfuscated data stored within the registry, and was highly targeted towards the victim. The group behind this particular malware family would be continually seen in the following years, often compromising very large organizations.

Generally, the use of automatic exfiltration continued to become more common among malware families in 2011-2012. During this time, the use of SMTP and FTP were frequently observed. However, by using these network protocols, the malware authors were forced to include authentication credentials within the malware itself. This of course causes a problem, as a malware analyst has the ability to extract this data from the binaries. In subsequent years, malware authors corrected these mistakes and shift towards other network protocols, such as HTTP and HTTPS.

Toward the end of 2012, we saw some very interesting developments within the PoS malware community. Namely, the release of the Dexter and Alina malware families that caused quite a stir due to their more advanced features. Both Dexter and Alina emerged around the same time, and provided not only automatic exfiltration capabilities, but a command and control (C2) component as well. This allowed attackers to deploy their malware to multiple locations and control the victims from a single C2 administration panel. This had not been witnessed previously, and added an automation to PoS attacks that was not seen prior.

During this period, we also started to see increased media attention on the topic of PoS breaches and malware families. A number of high-profile breaches gained the attention of both the general public and malware authors alike.

2013-2014

The emergence of Dexter and Alina caused quite a stir in the PoS malware community, and many authors took notice. As such, a number of malware families were written with C2 characteristics in 2013-2014, such as vSkimmer, JackPOS and Backoff.

In mid-2013, the source code to the Alina malware family was sold in underground forums for $2,000. This code eventually leaked in the criminal underground shortly afterwards. Roughly two weeks after the announcement of Alina’s source code sale, in an unrelated incident, the source code to the first major variant of Dexter was leaked on the popular underground forum Darkode. The sale/leak of such prominent PoS malware families caused a number of authors to reuse and modify this code. Because of this, a number of new families were subsequently created and used, such as Spark, Eagle, and getmypass. This trend continues to this day.

The high prevalence of malware families using command and control allowed malware authors to essentially create botnets out of infected PoS devices. As such, it wasn’t long before botnet malware authors took notice. Botnets, such as Andromeda, have been used often to distribute PoS malware families, such as Alina and JackPOS. However, other botnet authors began to implement PoS modules directly in their malware, such as Phase.

2015

This trend of adding PoS memory scraping modules to existing botnets continued into 2015. One such example is the Neutrino bot, which features denial of service commands, anti-reversing characteristics, keylogging functionality, and a command shell.

Other than the continued emergence of botnets implementing PoS features, 2015 has had minimal new PoS malware families emerge. It is likely that there simply hasn’t been a need or demand for new malware families, as a number of the more established malware families are continually updated and are successful in their endeavors.

Aftermath

After an attacker has successfully acquired card data from a targeted merchant, they will most likely sell that data on an underground forum. There are many underground forums available today, specializing in both various services and geographic areas.

Many of the larger carders provide shops to sell their dumps, often with clean user interfaces and granular search options. Customer service and ease of use are very important to the owners of these shops, as a shop’s reputation will often be the deciding factor for an interested buyer.

After a number of cards are purchased, carders will clone physical cards with the data they’ve obtained or purchased. Individuals in the same underground forums will often provide services to create plastic cards. Some examples of these cards can be seen below. As we can see, they look quite convincing to an untrained eye.

These cards can then be used to make purchases by carders. In the event a debit card with a PIN has been obtained, cloned cards can be used to withdraw money at various automated teller machines (ATMs). Carders will often purchase high-end items with the intent of reselling them online. In doing so, they are able to essentially use credit cards to obtain actual cash.

Conclusion

Attacks targeting PoS devices have been occurring for many years, and show no sign up stopping in the near future. The universal rollout of “chip and pin” will likely deter traditional attacks facing PoS devices. This has been witnessed in Europe, where EMV technology has been widely adopted for a number of years. In such situations, the attackers typically change tactics. Instead of targeting PoS devices, attackers target e-commerce websites instead, dumping databases from these webservers and acquiring card data.

In general, intrusion techniques targeting PoS devices are often no different from techniques targeting other Internet or network-connected machines. The main difference lies in the payload, which these days are typically a keylogger, or much more commonly, a memory scraper. These payloads, or malware families, have evolved over time to become heavily automated. Such automation allows attackers to infect hundreds or thousands of machines at a time, and make changes at the click of a button.

Proper PoS Security

Those charged with the task of securing PoS devices should take necessary precautions in order to help prevent the theft of card data. Such precautions include, but are not limited to:

  • Ensure PoS devices are not directly connected to the Internet. If required, proper controls should be enabled to only allow connections to specific hosts over specified network protocols.
  • Web browsing should be disabled completely on PoS devices if possibly. If not possible, controls should be enabled that restrict browsing to specific websites.
  • Prevent unauthorized users from installing or running executables on PoS devices using process whitelisting.
  • Install security software, such as antivirus, on PoS devices.
  • Update all necessary operating system patches.
  • Implement network segmentation between PoS devices and other corporate infrastructure.
  • Ensure any remote access applications, such as RDP, VNC, LogMeIn, etc. are configured with unique usernames and passwords, are fully up to date on patches, and are configured with 2-factor authentication if possible.
  • Properly log host and network-based events.

[Palo Alto Networks Blog]

Posted on

The Alphabet Soup of Acronyms Helps Navigate Certification and Security

It’s fun being a techie in the security industry, and it’s even more fun to help create certs for CompTIA. Sometimes, though, it feels as if you’ve entered what I call the acronym jumble.

Over the past few months, my product management team and I have spoken at various venues about a range of topics; mostly security. It has been extremely enlightening to work with actual practitioners to navigate the alphabet soup of the security world.

For example, you have technical acronyms such as DDOS, APT and RSA. But that’s just the techie perspective. When you add in the government language, such as DoD 8140, and then start adding certification product lingo, things get even more complicated.

CompTIA recently held its annual EMEA Member & Partner Conference, which I attended. EMEA –there’s another acronym. But wait, there’s more: One day I was on a conference call when someone said, with a straight face, “Well, now that we have thatTCP/IP question answered, I’ll IM someone in the OPS team about putting the ITF exam in IBT so that the people in the DoD can go through QA.” I had to put myself on mute so folks wouldn’t hear me chuckle a bit.

Right around that week, I got an e-mail from – no fooling – the IRS. Yes, folks, the United States Internal Revenue Service. For those of you not familiar with how taxes work in the U.S., the IRS contact you if they see, well, any discrepancies in your taxes. Of all of the letters that can rise up to the top of the alphabet soup of your life, the letters I, R and S just aren’t the ones you want to see. But thankfully, the e-mail I received wasn’t an audit. It was a kind note from Tim Martin, chief of the testing section of the IRS. He’s a techie, not an IRS auditor. In fact, it turns out he does volunteer work for another organization in the IT alphabet soup called AFCEA, a non-profit that promotes best practices in the IT profession through conferences. Tim was contacting us because he wanted someone from the CompTIA team to speak about the state of security in 2015.

Earlier this year, my colleague Patrick Lane visited Hill Airforce Base in Utah and gave a presentation to AFCEA members. I then spoke at AFCEA West in San Diego, and again at the Baltimore Defensive Cyber Operations conference later on. But my journey into getting to know security at a practitioner level didn’t end there. While there, I heard about the DON CIO, CINCPAC and other acronyms.

Since then, my team and I have met with enterprise CIOs and conversed with Navy CPOs. It just doesn’t stop. A month ago, I gave a presentation at the FCC with the title “Broadband Providers and Good Faith Steps.” It appears that the FCC is still working out its responsibilities with respect to the FTC. They’re looking to find ways that they can help people in the U.S. secure their privacy once their data has been captured by service providers. It felt good to represent the industry there, even when one of the directors told an inside joke about some L3 people – that’s director-level people to you and me.

I was recently able to spend some time with Tony Sager, formerly of the NSA and now with the CIS. Tony and I hosted a webinar in which we discussed the current state of security. He stressed the importance of a team-based approach rather than relying on that “security wizard” or the “scruffy IT type.” It was fascinating to spend time with these people because I learned more about how institutions in the U.S. apply security.

While all of this was stewing my mind, I had a chance to attend the Spiceworld conference, a conference in Austin, Texas, put together by our friends at Spiceworks. One of my co-workers at CompTIA, Rob Winchester, had been talking up this conference for years, and we got a chance to present. The presentation I gave was called, “Persistent Threats, Custom Frameworks: A Practical Guide to Network Security.” I had a great time, mainly because I was able to mingle with techies who get things done.

Sure, we were all engaging in acronym-speak. There was plenty of talk about new protocols and exactly where they mapped to the OSI/RM. And while I was at Spiceworld, I had a minor epiphany while I was talking with a group of security workers about implementing VPNs. One of the admins in the group worked for a homebuilding company in Utah. He said it was a struggle getting his company to invest in security measures. He was worried that some of their intellectual property and a few other areas could be at risk and wanted to address the problem.

I promised I’d send him a few things that our research team was able to create, as well as an article I had written for Linux Pro Magazine about creating custom security frameworks and mapping open source security tools to it. He was grateful.

Behind all the information and acronyms we use every day, we are all looking for a compelling, clear narrative. It doesn’t matter if you’re a director at the FCC, a guy at the IRS who volunteers for AFCEA or someone who has been tasked with enabling proper VPN access to his CEO’s home office outside of the company DMZ.

In my mind, that narrative is based on some standard that everyone can understand and implement, at least eventually; is flexible, yet not open to interpretation; is embraced by the world; is scalable; allows individuals to create custom solutions and security frameworks; and enables people to learn how to secure systems easily by applying themselves with hands-on learning.

The common theme that ties together this alphabet soup is certification. It helps set the narrative in motion. People are looking for coherence. Certification standards can help bring about that coherence.

James Stanger is Senior Director, Product Development, Skills Certification at CompTIA.

[CompTIA]

Posted on

5 Steps to Developing a Mobile App With Little to No Budget

There are a lot of differing opinions when it comes to developing an app for your business, but nobody argues about the efficacy of a well-developed app. The arguments focus more on how to develop quality apps without spending tons of money. If you have little-to-no budget for your app and still want the results to be phenomenal, your back is up against the wall. There is very little room for error and you need a plan.

Helpful Tips and Strategies
Your exact approach to developing an app on a budget will depend on how much money you have to spend, what industry you are targeting, and how conducive your business is to a mobile app. With that being said, the following helpful tips and strategies are transferable:

  1. Develop a Prototype Before Hiring a Programmer

Hiring a programmer immediately can exhaust your budget and limit your flexibility. Why not start with a simple prototype? Using a tool like Invision, all you have to do is “upload your designs and add hotspots to transform your static screens into clickable, interactive prototypes complete with gestures, transitions, and animations.” In other words, you can easily build an app without having to understand coding. Once you get something you like, you can hire and show the programmer exactly how you want the app to look and function.

  1. Aim for Simplicity and Functionality

Many businesses mess up when they try to overcomplicate things and create an over-the-top, appealing app. Time and time again, it has been shown that customers appreciate simplicity and functionality over complex features. This is good news for you, as you really do not have a budget to design complex features. Focus on core functionality before considering extra features.

  1. Do not Pay for Things You Do not Need

Programmers will probably try to sell you on different features, but stay grounded and do not pay for things you do not need. For example, does your app really need push notifications? This simple feature could add a significant amount to your overall project cost. By eliminating this superfluous feature, you can spend money on the things that really add value.

  1. Ask for Funding in Return for Ad Space

Who says you have to work within a tight budget? You may be able to increase your budget by finding investors who are willing to exchange capital in return for guaranteed ad space inside your app. This is beneficial for both parties and can allow you to add some additional features you would not be able to afford otherwise.

  1. Do not Rush Things

Finally, it is important that you do not rush things. When you are working within a tight timeframe, you end up spending more and making mistakes. Give yourself time and make sure you are testing the app and gathering feedback before putting it on the market. It is much easier to start with a functional app than it is to release a poorly performing one and be forced to make dozens of tweaks and updates. Here are some helpful tips for getting feedback.

Let Loose and Have Some Fun
Developing a mobile app should be fun and exciting. Do not stress over the small details, and make sure you are open to new ideas as you go. It would be very rare that your final version would look identical to your initial prototype. As you go, you will learn about the app, what users are looking for, and what does and does not work. At the end of the day–even with a small budget–you should be able to develop a functional, engaging app that people enjoy using.

Larry Alton
Freelance Writer

[ISACA Now Blog]

Posted on

What Are The Most Sought After Security Skills?

IT security has become one of the most important focal points in private and public sectors. As the rise of cyber-threats impact the way we protect private data and prevent breaches that can cost into the billions of dollars to fix, the need for qualified IT security professionals is more pressing than ever before.

The demand for skilled professionals has been growing more than 10 percent each year, according to a survey conducted by (ISC)2, a non-profit association of IT professionals based in Clearwater, Florida. And the U.S. Bureau of Labor Statistics expects employment of IT security analysts to grow by almost 40 percent by 2022 – a rate higher than most other high-tech careers.

Eddie Schwarz, international vice president of the ISACA, has almost 30 years of experience in the IT world. He’s watched as the industry has converted to wireless, evolved into mobile and faced unique challenges in communicating between the back office and boardroom, In recent years, one of the most pressing issues he’s had to face is how to educate the next generation of IT analysts in up-to-date security compliance.

“Over the last seven years, we’ve seen advanced threats increase,” said Schwarz, who admits that many hackers have moved from more traditional types of crime to cyber-crime. “Cyber-terrorism isn’t going away. It’s actually getting worse and will continue to get worse in the foreseeable future. It affects everyone.”

According to Schwarz, the rate at which technology advances has a lot to do with the rise of the most devastating cyber-threats, particularly as the mobile industry skyrockets. “Everything is Internet-connected now,” says Schwarz, “which opens a lot of questions as tech marches faster and faster ahead.”

Some of these questions IT pros should be asking: How can I protect our mobile data? And what skills will I need to secure information as cyber-terrorism becomes an even bigger threat?

“We need people with the knowledge, skills and capabilities to feel safe and secure,” Schwarz explains. “But there’s a gap in knowledge and skills showing that there aren’t enough people that are experts in this field.”

Here’s What You Need to Know

Asher DeMetz of Sungard AS, an IT company with headquarters in Wayne, Pennsylvania, contributed a column to Forbes magazine about the most critical IT security skills needed on the corporate level today. “Lack of security is an issue in every corporation,” DeMetz said. “You want to build a targeted security strategy. To do so requires having a specific security skill-set.” He says that these skills may be found in-house or through a managed service provider.

The most important skill for any IT security pro right now is being able to set up a successful security program. As corporate leaders are becoming more aware of the need to bulk up security measures, they will inevitably look to a security manager to develop programs designed to reduce risks based on a customized environment. Because not every company is the same, the approach one takes to developing a security plan will not be the same either.

A theoretical approach to security may sound great in the boardroom, but it will only goes so far in protecting important data. A security pro, in addition to having a plan, also needs to be able to implement programs company-wide. In some ways, this can be the most challenging step in any security measure; as it can be difficult having longtime employees change the way they operate in traditional settings.

But everyone must be on board with a security plan, which should include not only hardware and networks within the office but also handhelds and mobile devices that are linked to the company, but exist outside of the network. A security manager must also be able to get the program set up and to manage it on a continual basis.

DeMetz said that in addition to day-to-day operations, being able to audit the system is critical to ensuring that it works. Not only are there compliance laws to consider, regular testing of the system will let the team know if the protocols are working and if there are any areas that need improvement.

In this case, ethical hacking could mean the difference between a risking a breach or staving off an attack. So, in addition to understanding how to keep data safe, a security expert should also be able to try and penetrate the system. Ethical hacking can indicate areas that could be at risk before a breach even happens.

In a worst-case scenario, a professional also needs to be able to respond to an attack immediately. “You’ll need to have the skills available to immediately address and remediate the problem,” says DeMetz. There is no waiting when a data breach occurs.

More Demand, More Money

Schwarz said IT professionals with these skills will be among the best-paid, most sought after analysts in the industry. “Cybersecurity is one of the hot fields today,” he says. Interestingly, he said that while a background in computer science helps to move into the field, it’s not necessary. He personally sees more and more professionals rising in the ranks from diverse educational backgrounds.

More than having a degree in computer science, employers are looking for people who can show they’ve gone through performance-based testing and exercised skills, said Schwarz, who was actually a fine art major before moving into IT. “They want to see that if the company is getting hacked, that you know what to do,” he said. “It also requires a desire to figure out what’s going on and understand why things are going wrong and what can be done to fix it.”

He said that for many years, the IT world was focused on a single generalized skill-set that may not always fit the bill when it comes to preventing cyber-terrorism. In fact, having more diversified skills may actually be a bonus for thinking outside the box and anticipating how to prevent hacking at some of the most respected organizations around the world.

“There’s no universal formula,” Schwarz said. But top IT pros should seek out companies and organizations where IT security is taken seriously. In banking, for example, as much as 15 percent of budgets are often directed toward cyber-security. “If an organization has a reliance on information – and most do at this point – and they don’t take cybersecurity seriously they have their heads in the sand.”

Click here to learn about the CompTIA Security+ certification and here to learn about the CompTIA Advanced Security Practitioner certification.

Natalie Hope McDonald is a writer and editor based in Philadelphia.

[CompTIA]

English
English
Exit mobile version