A little more than two weeks before the start of the official holiday shopping season our attention is drawn to the more frequent Point-of-Sale (POS) malware attacks targeted to big merchant chains. What makes an impression is that each following is more complicated than the previous.
Cyphort Labs Report on Recent POS Malware Attacks
Cyphort Labs – a leader in the software security industry – published a report describing last year’s POS incident breaches in the big merchant chains Target, Home Depot and UPS – BlackPOS, FrameworkPOS and Backoff.
During the last six months, the report states, there were a series of malware attacks with quite big dimensions. The merchant chains stated above have lost millions of records of payments and credit cards information. The logic questions to follow are how all this data has been exposed at such a big risk, what are the hackers’ possibilities this year and how the merchants can protect this valuable information best?
POS Malwares Targets and Types
Cyphort Labs researchers have come to the conclusion that two directions with three types of breaches can be identified in the previous malware attacks.
One direction is targeting the attacks to specific locations, like certain big merchant, and the other is a more general one targeted to POS sales.
The types of breaches are the above-mentioned as follows:
- BlackPOS attack – designed to extract credit card information from cards swiped into infected POS terminals
- FrameworkPOS – attacks, designed to be able to run on several processors or host operating systems, and may be anything from Trojan to virus and
- Backoff – a malware that operates by scrapping out data from the memory of an infected machine
They are not from the same authors, researchers think, but it looks like that FrameworksPOS is copying previous POS malware attacks. The basic ideas like scanning memory frames and hiding data into local servers, using binary files are identical.
Building a systematic approach, consisting of several steps is hardly that complicated, Josh Grunzweig, an author in the Nuix blog thinks. The first BlackPOS malware, for example, first found last year is not that demanding and is completely dependable on one of the first-discovered POS malwares in 2010. POS attacks are not something new or surprising as well, as news for such appears every week, creating quite chaotic atmosphere in non-cash payments. All of these malwares look alike, however, and are around for a long time now.
Dexter – the Malware “Game Changer”
The first of this kind making any difference, Grunzweig thinks, is the so-called Dexter malware, appeared in 2012 at first. It’s kind of a “game changer” the author says. By its completely new approach and multiple functions like key logging, memory scraping and injecting itself into the Internet Explorer so it cannot be removed it is way ahead of its predecessors.
The approach has been obtained by the later-appearing Backoff malware as well, which was actually found and named by Grunzweig himself. According to the US Department of Homeland and Security, this type of the malware has infected more than 1000 business in the country by now.
Moreover, according to a new research made by Fortinet, it continues to evolve and develop as well. Last week they posted in a blog that several new versions of the malware have appeared recently, having improvements in the way they hide and avoid detection in affected machines. Instead of being disguising as a Java component now, it hides as being a part of the Windows Media Player components, having hash functions for using the computers’ APIs. Changes in the control and command servers make the malware it even harder to detect.
“This blog post has described the updates made to the Backoff PoS malware, ROM. We are observing that the malware authors are continuing to modify their malware binaries in their efforts to bypass detection, and to hinder the analysis process.
We recommend that users continue to maintain updated anti-virus software to better protect themselves from ongoing threats.”, Fortinet researchers advise in the blog post.