POS Malware Victim: Compass GroupNEXTEP Breach Affects Foodservice Management Company
Ongoing investigations relating to security breaches - first discovered in March - that involve point-of-sale system vendor NEXTEP are continuing to result in new data breach notifications being issued to consumers (see POS Vendor Investigates Breach). The latest victims: foodservice management company Compass Group and its customers.
NEXTEP's POS systems, as well as self-serve kiosks, are used in restaurants, airports, education environments, grocery stores and healthcare facilities, among other locations. One of its customers is the Missouri-based restaurant chain Zoup, which in March confirmed that it had found and removed malware from its NEXTEP POS systems which resulted in consumers' payment card data being compromised.
Now, up to 70,000 consumers may have also been affected via similar attacks involving Compass Group, which is composed of 18 operating companies that provide food for such organizations and events as IBM, SAP, the District of Columbia Public Schools and the Academy Awards.
"Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software designed to capture payment card information on certain NEXTEP self-serve payment kiosks used at a limited number of our on-site dining locations," Charlotte N.C.-based Compass Group says in a related customer FAQ. "We believe that the malware could have compromised payment card data (including name, payment card account number, card expiration date, and the CVV security code) of individuals who used a payment card at impacted NEXTEP self-serve payment kiosks in use at certain on-site dining locations, between February 2, 2015, and March 9, 2015."
Compass Group says it does not know exactly which credit or debit cards were compromised, but notes that fewer than 70,000 payment cards were used on its NEXTEP self-serve payment kiosks during the breach period. "We believe that the number of exposed cards is significantly lower because only a portion of kiosks were infected with malware," it says.
A spokeswoman for Compass Group didn't immediately respond to a request for comment about exactly which locations - and in which states - it found malware-infected NEXTEP kiosks. Its notification to California residents notes that three locations in that state were affected.
The breach warning follows POS systems provider Harbortouch Payments on April 22 confirming to Information Security Media Group that attackers had successfully launched a malware attack that affected "a small percentage" of its merchant customers (see POS Vendor Reports Malware Attack). To date, Harbortouch has offered scant additional information on the breach, but one card issuer tells ISMG that related fraud appears to have occurred from March 10 to April 14, 2015.
Familiar Attack Formula
The NEXTEP and Harbortouch Payments breaches are the latest in a string of attacks that involve POS systems. "This is more of the same - cybercriminals are testing every stakeholder in the payments ecosystem for vulnerabilities, and POS systems are a critical chokepoint for payment data that will continue to be exploited," Al Pascual, director of fraud and security for Javelin Strategy & Research, tells ISMG.
While findings from digital forensics investigations into the NEXTEP or Harbortouch Payments breaches have yet to be released, Pascual says most such attacks follow a now-familiar formula. "I can't say specifically how this happened, though poor remote access authentication is the most likely suspect."
There are many potentially exploitable vulnerabilities in the payments card ecosystem. For example, many POS-using organizations fail to change the default passwords on their POS or remote-access systems, or to safeguard such systems by only running them on segmented networks, warns Charles Henderson, vice president of managed security testing at information security firm Trustwave (see Why POS Malware Still Works). As a result, many POS devices remain highly susceptible to remote attacks and malware infections.
Suspected: Remote Access
Indeed, one financial industry source, speaking on condition of anonymity, says attackers have become expert at finding and exploiting the remote-control software that's often used in retail environments, such as the remote-access LogMeIn software, which has been exploited via numerous attacks. Beyond trying to exploit users of LogMeIn directly, attackers sometimes mention the software in phishing campaigns to try and trick users into installing POS malware that's disguised as an emergency patch.
An August 2014 Department of Homeland Security alert about Backoff POS malware warned many different commonly used remote desktop applications may have been compromised by attackers, including Apple Remote Desktop, Chrome Remote Desktop, LogMeIn Join.me, Microsoft's Remote Desktop, Pulseway and Splashtop 2 (see 1,000 Businesses Hit By POS Malware).
Some of those breaches relate to vulnerabilities in the POS software that attackers have been able to exploit via customized malware (see Retailers Attacked by POS Malware). But attackers have also targeted POS system users with phishing attacks, for example to distribute malware that is disguised as an "emergency patch" for their remote-access software.
Security firm RSA warned April 29 that it had discovered a phishing campaign targeting users of "a popular POS vendor in Europe." The malware being used by attackers appears to include variants of the POS malware known as Poseidon, which was recently discovered by security researchers at Cisco.
The cumulative effects of these malware attacks and other POS exploits are by now well-known, thanks to the resulting mega-breaches that have affected customers of Target, Michaels and Staples. But POS malware attacks have also been tied to a spate of breaches at restaurants such as P.F. Chang's, as well as many smaller merchants.
As the frequency and severity of these attacks have continued to increase, card issuers have been sharpening their monitoring and reaction capabilities, in part by keeping an eye on the underground carder forums where stolen payment card data frequently gets bought and sold (see Banks Reacting Faster to Card Breaches). But even when they identify cases of suspected fraud, banking insiders say that tracing it back to a particular retailer or establishment, or POS system vendor, takes time.
Executive Editor Tracy Kitten contributed to this story.