Cybercrime: Emerging TrendsRSA's Uri Fleyder on POS Breaches, Mobile Threats
Point-of-sale retail breaches are the rage, but they are just one cyber-crime trend on the mind of RSA researcher Uri Fleyder. What are the malware and mobile threats that organizations should monitor?
Fleyder, who manages RSA's Cybercrime Research Lab, discussed the topic of "Current and Emerging Trends Within the Cybercrime Ecosystem" at RSA Conference Asia Pacific & Japan in Singapore.
Following his presentation, Fleyder spoke further about evolving threats - specifically point-of-sale breaches and how POS device vendors can help mitigate the risks.
"First of all, the actual pieces surrounding the POS systems are usually not very well protected," Fleyder says. "So [merchants] are using an outdated operating system -- different versions of Windows. And then they are using different passwords; sometimes they do not use any passwords at all. So first of all, you should update your operating system and then install software from reliable sources and patch them on a constant basis."
In this excerpt of an interview conducted at the latest RSA Conference, Fleyder discusses:
- Point-of-sale breach trends;
- Mobile threats;
- The latest cybercrime schemes.
Fleyder is a veteran security researcher, currently managing the Cybercrime Research Lab within RSA research group. Uri has a vast of experience in researching advanced threats, monitoring the Cybercrime ecosystem and identifying emerging trends in the fascinating and dynamic world of threat research and intelligence.
POS Breach Trends
SAMEER SAXENA: It's been quite common to hear about the POS breach these days across the world. Why is there an increase in such incidents?
URI FLEYDER: First of all, it's easy to answer because for the bad guys, the cyber criminals, to prosper they are looking for a high financial profit to gain and steal money, right? Their parameters are to gain a lot of profit, versus the other side to lower their risk of exposure; they don't want to be prosecuted. So, when we are talking about this kind of fraud that involves high profits from one side and the low risk to be caught from the other side, point-of-sale networks is probably in the top priority of the fraudster.
Other scenarios are ATM schemes. So, they are attacking ATM machines as well. And another very popular method is ransom for data; they will infect your computer and pop up a message and they will say that all of your files were encrypted. Sometimes it's true, sometimes it isn't true, but they are saying it, and then you have to pay them using some kind of anonymous payment method just to deliver them the money. Because of the high potential to gain a lot of financial profit, they are choosing this game successfully.
What's the Vendor's Responsibility?
SAXENA: This is also a concern for the POS system providers who are offering it to the retail sector. What would be the steps you would recommend to the POS developers to prevent such attacks in the future?
FLEYDER: There are several steps on how to inspect those devices, and I actually mentioned them in my talk. First of all, the actual pieces surrounding the POS systems are usually not very well protected. So [merchants] are using an outdated operating system -- different versions of Windows. And then they are using different passwords; sometimes they do not use any passwords at all. So first of all, you should update your operating system and then install software from reliable sources and patch them on a constant basis. Then you should always change your passwords from the different devices.
Then they are always running, intentionally or not, different exposed services to the internet. First of all, you should possibly block and close the services that are not required for your business. So you should harden the system and close the services.
Then you should use some kind of endpoint and natural monitoring solutions. You should check the activity in the logs in your endpoint device to understand [if traffic is] legitimate, and you must aggregate, collect and analyze all the [activity] in order to understand and find the malicious activity, you know, the potential attacks on your infrastructures.
SAXENA: What are the future threats you foresee?
FLEYDER: Next is actually the configuration between [threats]. We are seeing it today, and we will continue to see them in the future. So forced threats, there is some kind -- some very let's say limited capabilities. Most of the threats are using techniques to check records and track the data from credit card numbers. And some of them are using [techniques] to validate the structure for credit card numbers. This way they can know if the number that they log is actually a credit card or not. And then some of them are using e-login as well. So all of this can be integrated, first of all, into remote inspection tools and then into banking Trojans.
SAXENA: Why do you say that the supply chain encryption is of importance?
FLEYDER: In the recent years, this was one of the main infection methods. Historically, the supply chain infection is used for espionage and surveillance, more in the concept of advanced threats. However, in the recent years we are seeing that the fraudsters from the cyber criminal domain, that their motivation is suddenly financial rather than government and military and IP (intellectual property), stealing from manufacturers in the advanced threats. So all of them are starting to exploit this infection method in order to install [malware] on the endpoint device of the user. And the reason for this is it's very easy. The chain process is very long and includes many third parties from different parts of the world. You have the product line employees ... and you have distributors and resellers and other contractors. Each one of them has at some point in time a physical access to some parts of the endpoint device, and each one of them let's say can be bribed to install malware. This way you can infect many endpoint consumers.
Remote Access Trojans
SAXENA: Another threat which has been emerging is the remote access trojan, especially with respect to the POS systems. What can the organization do to mitigate such a threat?
FLEYDER:Yes. It's a very common -- it's not a new threat. And as I mentioned before, we are seeing the integration of forced threats with the RATs and tools, and the banking trojans as well. And when the [fraudster] gains access ... on a specific device, he can access all the files, he can upload additional malware, he can delete any files, any records, any logins, and install any software on them. So we are actually seeing the RAT populating the mobile threat in the mobile field as well. So many, just for the mobile world, are starting to use RATs to install and infect the mobile device.
What can an organization do to protect itself from the installation of a rat or a banking trojan? First of all, you have to collect and aggregate. You have to bring visibility into your tool sets. After you collect and aggregate all of the data, all of the logs, all of the applications on your endpoint devices and inside of your network, then you have to provide a way to the analysts, to the researchers, to the guys that are responsible to protect and defend your systems, you have to provide them the tool to visualize the data that they are seeing. Most of the data, most of the logs are legitimate. But you have a small percentage of malicious ones, and you have to provide your analysts the ability to see them actually, one clear picture.
So. all of this data is gigabytes and sometimes petabytes of data. Summarize them into a clear view, and applying your algorithms and analytics you can show them they would be able to identify the malicious data from the legitimate one. [They then can] respond to the advanced threats to actually check the identity of the users that are using the systems to prevent online fraud and cybercrime.