New Alerts About POS Malware RisksFBI, Trend Micro Issue Warnings to Merchants
Recent point-of-sale malware attacks, and reports about emerging malware strains, highlight why more attention needs to be paid to POS system security.
Last week, restaurant/grocery store chain Eataly reported a malware-related POS breach at its New York location, one of 27 worldwide. The breach, which the company says may have exposed card transactions conducted from Jan. 16 through April 2, is drawing attention because some experts believe it might have involved the compromise of card data in transit.
This week, the FBI issued an alert to certain businesses about a new POS malware strain known as Punkey, which was involved in a breach at a U.S. restaurant chain, according to The Washington Free Beacon. Punkey is a memory-scraping POS malware that can be used to compromise any Windows-based POS network. Experts says it's tough to crack, because it encrypts the compromised data it exfiltrates.
The FBI did not respond to Information Security Media Group's request for more information about the alert.
Meanwhile, security firm Trend Micro has issued an alert about another new POS malware strain known as MalumPOS, which is targeting POS devices running on the Oracle MICROS platform that are commonly used by restaurants and the hospitality industry in the U.S.
Trend Micro does not mention any specific breaches where MalumPOS was used, but it does point out that this malware strain was detected in the wild. It says the malware was selectively searching for card data linked to Visa, MasterCard, American Express, Discover and Diner's Club.
POS System Security Too Weak
Eric Merritt, a security researcher at forensics investigation firm Trustwave, says these recent developments demonstrate how POS malware is evolving, and why more attention has to be paid to POS security.
"The concerning thing to me really is the security state of POS systems that allows these types of attacks to occur," Merritt says. "This is why penetration testing is so important. I'm less concerned about what terminals the malware is targeting, and more concerned about how the malware is getting in."
If POS devices and systems were more secure, many of these emerging malware strains would be much less effective, he contends.
"Encrypting cardholder data at the earliest point of acceptance will help to minimize exposure in the remainder of the POS system, when perimeter controls and monitoring are not enough," Leach says. "And that is the focus of our point-to-point encryption standard, which we will be updating shortly."
An executive with a leading card issuer on the West Coast, who asked not to be named, says POS attacks aimed at restaurants and smaller merchants are creating big headaches for banks.
Because only one of Eataly's locations was compromised, researchers at threat intelligence firm iSight Partners believe the company's POS network is segmented and that the POS systems at its various locations are differentiated. In a statement about the breach, iSight also says the malware may have been stealing card details as they were transmitted over a network.
Eataly did not respond to ISMG's request for details about the breach.
"It sounds like another version of the type of attack that hit Heartland years ago, where the data was being hijacked while in transit to the processor, after it left the POS," the executive at the West Coast card issuer says about the Eataly breach. "As everyone is focused on protecting the POS and preventing the installation of malware to the terminal, attackers are already looking to new avenues."
Trustwave's Merritt says most POS breaches involve memory-scraping malware that steals transaction details from POS terminals. Both Punkey and MalumPOS are memory-scraping malware strains.
"You don't typically see malware that is intercepting data in transit, because you would have to compromise the whole network and that's just a lot more work than scraping the memory," he says.
But financial fraud expert Al Pascual, an analyst at consultancy Javelin Strategy & Research, and Carl Herberger, vice president of security solutions at application delivery vendor Radware, say the compromise of data in transit does not necessarily mean that the malware used was more sophisticated. Instead, it likely just means the compromised network was not adequately encrypting data, they say.
"This type of attack is not necessarily more elaborate, and would actually be less effective against merchants leveraging encryption than RAM-scraping card data before it was encrypted," Pascual says. "True end-to-end encryption would be the most comprehensive means of protecting data within a merchant's network from either type of threat."
Segmenting the POS network without encrypting data is futile, Pascual contends.
And Herberger says merchants need to focus on real-time detection, rather than worrying so much about segmentation. "A near-real-time, very intensive picture of the problem can do more to advance security than further trying to isolated security features in slices or segmentations," he says.
New Malware Strains
Merritt says the emergence of new memory-scraping POS malware strains that have the ability to compromise numerous types of devices while hiding their tracks is far more concerning than a data-in-transit compromise.
"Punkey has a few more advanced features that you typically don't see in POS malware," he says.
For instance, most POS malware transmits compromised transaction data in clear text to a single command-and-control server, or saves the data in a file on the compromised POS terminal, Merritt explains. With Punkey, compromised data is encrypted and sent to numerous C-and-C servers simultaneously. "This made it harder to investigate," he says.
Trend Micro threat researcher Jay Yaneza points out that the MalumPOS malware, like Punkey, is configurable, meaning it can be used to compromise a variety of POS systems and terminals.
In a blog he posted June 5, Yaneza writes about how MalumPOS had successfully compromised Oracle MICROS POS terminals. These type of terminals are used by 330,000 customer sites worldwide, Yaneza writes.
"A bulk of the companies using this platform is mostly concentrated in the United States," he notes in his blog. "If successfully deployed by a threat actor, this POS RAM-scraper could put several high-profile U.S.-based companies and their customers at risk."