Over the past few months an abundance of point-of-sale (POS) attacks on major retailers has left millions of consumers’ personal account information vulnerable. The Home Depot, Goodwill, Supervalu grocery chain, Dairy Queen, and the UPS Store were all recently in the spotlight for POS terminal attacks where memory-scraping malware was installed to nab customer information. What is the cause of the uptick in POS attacks and what can be done to mitigate future attacks?
POS Malware Strains
Understanding the origins of POS attacks is the first defense against a vulnerable system. RAM-scraping malware is sold in underground forums and criminal-to-criminal marketplaces under a variety of malware family names such as Backoff, Trackr, Dexter, and Soraya. All of these malware families scan memory buffers of POS terminals and payment processing systems, looking for patterns of payment card data in the computer's RAM (random access memory) buffers before it gets encrypted for transmission or storage, or after it has been decrypted for processing. Captured credit card numbers are sent to a command and control center (C2) where criminals then use them for fraud or account takeover attacks. (For information on “Combating Account Takeover” download our whitepaper)
Soraya Steals the Show
Soraya is the most recent major strain of POS malware families – characterized by the security community as “nasty” because it incorporates the most effective features of Zeus and Dexter malware. Soraya scrapes memory and pulls web form content to steal payment card information and other personal info so that phony credit cards can be created and used for fraudulent charges. One unique feature of Soraya is that it employs the Luhn algorithm to check the validity of credit card numbers. As a result, perpetrators can trash canceled or invalid card numbers to avoid setting off early security alarms.
Cybercriminals deploying Soraya have targeted the United States likely due to vulnerabilities in payment systems.
Figure 1. Countries infected by the Soraya POS malware (research conducted by RedSocks)
The PhishLabs R.A.I.D. (Research, Analysis, and Intelligence Division) obtained a copy of Soraya when it was first released in May 2014, along with the admin panel on the C2 server, and a set of default credentials for the backend database that manages the Soraya bots and the data collected. Analysis of the malware found several vulnerabilities in the code, including:
- Weak or default authentication credentials, with no brute-force countermeasures.
- Lack of authentication between the server (C2) and client (malware binary program), allowing either to be easily impersonated.
- Lack of validation and sanitization of C2 communications by the client.
- Textbook web application security flaws in how the C2 server processes unsanitized input.
Using skills possessed by hackers with even moderate capabilities, these can be exploited to take control of other criminal's Soraya botnets, steal or "leech" the data already stolen by others, and perform DoS (denial of service) attacks against the C2 server as well as the bots, alone or the botnet as a whole.
Figure 2: Admin panel of latest RAM-scraper malware, some of the author's avatars, and default database config.
Why is the United States Targeted?
The United States is behind the rest of the world in EMV ("chip and PIN" payment card systems) deployment and adoption. Cybercriminals most often use RAM-scraper malware to obtain POS data that can be easily monetized through the creation of counterfeit cards. EMV systems, especially when combined with the card readers that obtain a one-time payment authorization code for card-not-present e-commerce transactions, render EMV card data virtually useless to the hackers or their buyers of stolen data.
Because of the lag in adopting EMV systems, POS attacks represent a disproportionate threat to United States. Many U.S. retailers have warned that they will miss a mandated conversion to EMV payment systems, which is scheduled for October 2015. Estimated cost for the conversion is between USD $500 - $1,000 per terminal which is likely a significant factor contributing to the delay in conversion.
Figure 3. The U.S. is scheduled to deploy EMV for adoption by October 2015. Image by EMVCo.
With the annual cost of fraud in the U.S. alone at an estimated $8.6 billion per year, and a projected $10 billion or higher by 2015, new security measures are required. If POS attacks continue and the risk is shifted to the retailers, it may accelerate the timetable to conversion.
Recommendations for Mitigating Attacks
Retailers must set up more stringent security parameters to better protect consumer information. The Home Depot breach alone is said to have a possible impact on 60 million customers. There are some common safeguards that can be implemented to protect against POS attacks:
- POS systems need to be kept up-to-date with the latest security patches.
- Retailers must ensure Anti-virus (AV) software subscriptions are not allowed to expire.
- AV software needs to be regularly updated with virus definitions and malware signatures.
- Unique accounts/logins should be set up for each cashier (no shared or default accounts).
- Ensure passwords are strong - no default passwords.
- Enforce adequate password quality policies and technological enforcement.
- Lock accounts after numerous failed login attempts.
The Department of Homeland Security and the Secret Service advise retailers to consider contacting service providers, AV vendors, and POS terminal vendors to assess security and signs of possible breaches to mitigate risk from POS hacks. They also recommended locking down the weaknesses described above and even suggest using two-factor authentication with one-time passwords.
Cybercriminals often use information obtained in POS attacks to attempt bank account takeovers. Read this whitepaper and learn how to implement a proactive and robust fraud prevention strategy that aggressively fights back and stops account takeover attacks.