POS Malware on the Rise in Cyber Underground

Point-of-sale (POS) malware has been the sharp end of the stick for attackers recently.

Tied to attacks on businesses from Target to Neiman Marcus, POS malware is becoming more prevalent in the cyber-underground.

“The fourth quarter of 2013 will be remembered as the period when cybercrime became real for more people than ever before,” said Vincent Weafer, senior vice president for McAfee Labs, in a statement. “These cyber thefts occurred at a time when most people were focused on their holiday shopping and when the industry wanted people to feel secure and confident in their purchases. The impact of these attacks will be felt both at the kitchen table as well as the boardroom table.”

“For security practitioners, the off-the-shelf genesis of some of these crime campaigns , the scale of operations, and the ease of digitally monetizing stolen customer data all represent a coming of age for both Cybercrime-as-a-Service and the dark web overall,” he said. 

Several POS malware families have grown in prevalence during the past few years, including BlackPOS, Dexter, ProjectHook and others, many of which are available for purchase online. According to researchers at McAfee, BlackPOS for example is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with “little programming skill or knowledge of malware functionality.” The source code for BlackPOS has also been leaked multiple times, allowing anyone to modify or employ the code for their own purposes.

“POS systems, just like any other computing system, are susceptible to attacks against unpatched software, the global internet, traffic interception and physical compromise or architectural flaws,” said Michael Belton, head of Rapid7’s assessment team. “Based on our experience with these systems, common configuration errors, missing patches and compromised user credentials are the most common points of attack.”

Just recently, Arbor Networks took a look at the Dexter malware and tied a person operating under the alias ‘rome0’ to activity around it. Just who that is remains a mystery.

“The individual using the name ‘rome0’ is well established in the underground carding scene,” explained Dave Loftus, security research analyst at Arbor Networks. “While his or her true identity is unknown, we believe he or she may reside in France based on information obtained from multiple carding forums. We [also] have seen Alina, Project Hook, Dexter, VSkimmer, and JackPos point-of-sale malware used by someone operating under the name ‘Rome0’. It’s still unclear if this is the same individual active on underground forums or an imposter.”

Back in November, Arbor Networks’ Security Engineering & Response Team (ASERT) found multiple vulnerabilities in two versions of Dexter’s control panel that allow stolen data to be stolen by malicious third-parties for a second time after being stolen by the malware the first.   

“ASERT does not have an exact count of the number of worldwide Dexter or Project Hook attacks, but we estimate that the number of infections is in the thousands based on the infection data obtained so far,” Loftus said. “We have seen concentrations of Dexter infections within the APAC region, and Project Hook within North America and Europe.”

“We believe smaller organizations have been primarily targeted by these threats,” he explained. “Dexter and Project Hook are commodity malware that are not tailored to their targeted organizations. Therefore, due to their general nature and the types of businesses that we have seen compromised, smaller organizations that have relaxed security practices are most likely at risk.”

It is important to note that regulatory compliance does not equal security – something underscored by the Target breach, Belton noted.

“A company’s security posture is only as strong as their weakest business partner,” he said, adding that “there is no such thing as perfect security. Target heavily invested in protecting customer data, but the fact that a strong security program can be undermined with smart planning is certainly unsettling.”

Related Reading: Cybercriminals Entrenched in ‘Dark Web’: Researchers