Security Experts:

PoS Malware Kits Rose in Underground in 2014: Report

2014 will be remembered for many things. But for those whose credit or debit card information was swiped in a data breach, it may be remembered as the year when a wave of point-of-sale malware crashed into retailers big and small.

In its annual Global Threat Intel Report, security firm CrowdStrike noted that criminals began increasingly turning to ready-to-use point-of-sale (PoS) malware kits in the cyber-underground. According to Adam Meyers, vice president of intelligence at CrowdStrike, the price of these kits varied depending on their complexity, with some going for tens of dollars and others costing in the hundreds or thousands.

The attacks infected terminals with malware designed to steal credit card information as they are swiped by customers. The malware runs in the background of the terminal, and continuously scans memory for unique patterns found on a card's magnetic strip and send matching data to an attacker-controlled server, the report explains.

"In 2014, while several major companies were coping with breaches of their PoS infrastructure, many smaller retailers were facing the same threat from less-organized groups," according to the report.

"Malware such as BlackPoS requires a bit of strategic planning on the part of the adversary; much of the system lacks the point-and-click intuitive nature of commodity botnets," the report continues. "For less-organized or less-skilled adversary groups, an off-the-shelf kit such as Dexter PoS may allow for exploitation and offensive capabilities that may not otherwise be possible."

The report notes that the explosion of PoS malware may be mitigated by the adoption of EMV standards (Europay, MasterCard and Visa) as well as the growth of payment options such as Google Wallet and Apple Pay.

"Adoption of these newer payment processes should provide consumers with more secure payment methods and make it more difficult for criminals seeking to make money off these systems," according to the report. "There will be some lag time in 2015 as retailers and banks move to put these improvements in place, during which cybercriminals will still be able to exploit the current, antiquated payment processing systems in the U.S. However, the newer processes, once in place, should lead to a decline in the type of PoS attacks seen over the past year." 

During the year, the security and law enforcement communities teamed up to takedown Shylock and Gameover Zeus, two major banking botnets that dominated the first half of 2014. After the takedowns, the Dyreza and Dridex emerged as dominant forces in the world of banking malware.

"Dyreza takes a more simplistic approach to banking fraud, acting to intercept logins and perform malicious actions by acquiring the HTTP POST data from under banking SSL sessions," according to the report. "Dridex uses the classic banking Trojan tactic of relying on complex JavaScript web injects targeted at the institutions it wishes to steal from. Both threats rely on the same criminal ecosystem as their predecessors."

Away from the world of financial crime, hackers were busy launching targeted attacks against organizations around the world. During the year, CrowdStrike identified "significant activity" from 39 state-sponsored and nationalist attack groups. Vietnam was the most targeted country due to cyber-assaults by an attack group known as Goblin Panda. Those campaigns relied mainly on spear-phishing and dropped malware such as PlugX in malicious documents.

While the report names China-based adversaries as the most prolific when it came to targeted intrusions, Russian and Iranian attack groups were active during the year as well. In fact, Meyers told SecurityWeek, the Russian groups tend to be more sophisticated than the Chinese. For example, Russian attackers leverage public key cryptography to mask their command and control mechanisms and use more complex malware.

"Western businesses and enterprises need to know that there are serious bad guys in North Korea, China, Iran, Russia and other countries working tirelessly on ways to get around our defenses to steal intellectual property, disrupt business and even destroy," Meyers noted on the CrowdStrike blog. "This report gives business and IT leaders a fighting chance to find out who is targeting them and take steps to prepare their networks, minimize intellectual property loss, business downtime, and other effects of cyber security attack that undermine the bottom line."

view counter