Why POS Malware Still WorksSecurity Experts: It's Too Easy To Infect Retail Systems
Security experts are warning about a new breed of point-of-sale malware dubbed Poseidon after the Greek god. Researchers at Cisco say it's the latest attack code designed to steal credit card numbers immediately after payment cards get swiped through POS terminals.
See Also: Secure Access in a Hybrid IT World
While the appearance of any new type or variation of attack code triggers alarm in financial services and retail circles, Charles Henderson, vice president of managed security testing at information security firm Trustwave, says there's a bigger problem than the POS malware du jour: Too many retailers use POS devices without changing their default passwords or running them via segmented networks, which makes such devices easy to infect with remotely controllable malware.
"It's not some ninjas coming through the ceiling on ropes, putting malware on your point of sale in the dead of night," Henderson says. "It's fairly easy attacks."
A Malware Progression
Regarding Poseidon, Craig Williams, security outreach manager for Cisco Talos, the company's security intelligence and research group, tells Information Security Media Group: "We see this malware as a progression from past malware targeting POS systems. It was professionally written to be quick and evasive, with new capabilities not seen in other POS malware."
Poseidon is a combination of the previously seen Backoff POS malware together with a more advanced downloader and installer, according to threat-intelligence firm iSight Partners.
Citing confidentiality agreements with customers, Cisco declined to comment about which types of POS systems Poseidon is designed to target, how attackers have been infecting systems with the malware, as well as whether the malware is designed to automatically spread itself between systems.
The popularity of such attacks is simple to explain: Criminals typically seek the best returns, with the lowest associated risk, using the attack path of least resistance, and that's why easy-to-build POS malware continues to thrive, says Henderson, who'll address the issue at next month's RSA information security conference in San Francisco.
Charles Henderson, vice president of managed security testing at Trustwave, discusses POS malware.
Using remotely-controlled POS malware, for example, criminals can operate from outside the countries they attack, thus making them more difficult to track. Fresh "dumps" of harvested card data can be easily sold via dedicated dump sites anywhere in the world. Buyers can purchase this data to commit online fraud; create and sell fake cards or prepaid cards; or distribute these cards to low-level money mules who commit in-person fraud at retailers or via ATMs.
Now, Cisco says Poseidon is among the most advanced malware that it's seen. Rather than using a multiple-stage data exfiltration, where card data gets pushed to a staging server inside the victim enterprise - as reportedly happened with the 2013 data breach at Target - every piece of Poseidon malware is able to directly exfiltrate stolen data.
"Poseidon can communicate directly with command-and-control servers, self update to execute new code and has self-protection mechanisms guarding against reverse engineering," Cisco's Williams says. Such reverse engineering is used by security researchers to try to identify how the malware works and build better defenses against it.
No Relation to Zeus
While Cisco's decision to name this malware "Poseidon" echoes the name already adopted by the notorious banking Trojan called Zeus - another cornerstone of Greek mythology - Williams says the two malware families do not appear to be related.
Williams says Poseidon uses three primary attack mechanisms: the "Loader" file, which contacts a C&C server to retrieve, install and execute the "FindStr" binary file, which then installs a keylogger. This keylogger survives reboots, scrapes the POS device memory and monitors for payment card data. The required pattern matching isn't complex: Poseidon watches for 16-digit numbers that begin with a 4, 5, or 6 - referring to MasterCard, Visa and Discover cards - or else a 15-digit code that begins with a 3, which is the format used by American Express.
Intercepted payment card data then gets exfiltrated to an outside server. In the malware sample recovered by Cisco, the code "phones home" to 12 hardcoded domains, many of which ending with ".ru" - the top-level domain for Russia. But Cisco says this list could be easily updated by attackers, for example, whenever the FindStr binary is pushed to an infected system.
The specifics of Poseidon aside, Trustwave's Henderson argues that there's too much focus on the latest POS malware, as opposed to retailers having failed to put in place defenses that would better blunt these types of attacks. "Every time the POS malware hits the market, everyone goes crazy, we have all these news releases, and we may even have a graphic released with the new malware. And we ignore the fact that there's malware getting on the point of sale in the first place."
What retailers need to do, he adds, is ensure they submit POS devices to security audits before they're rolled out. "The problem is the vulnerabilities in the point of sale [and] the lack of testing in the point of sale - and I mean, really deep-dive testing," he says. "Retail establishments are not doing their due diligence."
One common mistake retailers make, Henderson says, is failing to scrub default passwords or account names from devices.
Take widely used old and new VeriFone POS devices, which Henderson says have a default password that's been well-documented since at least 1990. When Trustwave does a POS audit, "90 percent of the VeriFone card readers that we test have that password," he says, noting that too many retailers do not change the default passwords on their VeriFone devices, which makes it easy for anyone who can get malware onto the device to then seize full control. "And that's just one vendor, and that's just one example," he says.
Henderson also urges any business that's bigger than a mom-and-pop shop to use network segmentation to better isolate POS systems and make related malware infections easier to block and detect.
He also recommends table-top exercises, involving outside consultants, to help brainstorm the easiest - and thus most likely - ways an attacker would try to penetrate any particular retailer's network. "You're not going to make any modern system bulletproof, but you can make it less profitable for the attackers to attack you," he says.
But the success with which criminals can hack POS devices, using malware, also begs the question of why passwords - default or otherwise - are still being used to secure such devices, rather than an approach based on PKI. "Why are we still even using passwords?" Henderson asks. "This is a textbook case for certificate-based authentication."
To make that happen, payment card brands would need to work together to overhaul the U.S. payment infrastructure. Until that happens, Henderson says it's important for everyone who's stuck with using the existing system to remain aware of its flaws as they try to bolster their defenses.