Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

POS Malware Continues to Target Small and Medium-Sized Businesses

3/17/2019

0 Comments

 
POS malware

POS Malware Continues to Target Small and Medium-Sized Businesses

Two organizations, Flashpoint and Cisco Talos, recently revealed that point-of-sale (POS) malware continues to be a threat to small and medium-sized businesses.

What Is a Point-of-Sale (POS) Malware? 

A point-of-sale (POS) malware is a malicious software that particularly targets POS, a system used for credit card transaction for payment of goods or services. Attackers may install a POS malware physically by tampering the PIN entry device pads or swapping out devices, an attack known as payment card skimming.

Another way of installing the POS malware is through remote installation, that is, the installation of a malware on environments where card-present retail transactions are conducted using a different computer stationed in another location. This present blog post covers the remote POS intrusion.

The goal of a POS malware is to obtain credit card details from customers. Stolen credit card details are typically sold by cyber criminals on the dark web. Buyers use these stolen credit card details to commit credit card fraud – unauthorized charges on someone else’s credit card.

Prevalence

On the same day of March 13, 2019, Flashpointand Cisco Taloseach published a report about the ongoing threat of POS malware on small and medium-sized businesses.

Flashpoint researchers reported that the POS malware called DMSniff has been actively used by cyber criminals since at least 2016 against small and medium-sized businesses in the restaurant and entertainment industries. Similar to other POS malware, DMSniff harvests credit card details. Flashpoint researchers said the DMSniff malware was previously only sold privately.

One feature of DMSniff that’s rarely seen in POS malware, Flashpoint researchers noted is the use of domain generation algorithm (DGA), a feature that creates lists of command-and-control domains or webpages on the fly. Command-and-control domains are important to cyber criminals as malware typically receive commands and send stolen data via these domains.

To cripple the effectiveness of a malware, that is, preventing the malware to receive commands or share stolen data, law enforcement or hosting providers take down these malware command-and-control domains. With domain generation algorithm, attackers can create lists of command-and-control domains on the fly in case one domain is taken down. In addition, domain generation algorithm also bypasses weak blocking mechanisms.

Cisco Talos researchers, meanwhile, reported about the proliferation of the new POS malware called GlitchPOS. The sale of this malware opened a few weeks ago in one of the crimeware forums. This malware later turned up for sale in another crimeware forum. The author of the GlitchPOS malware even created a video, showing how this malware harvests credit card details.

Like other POS malware, the main purpose of GlitchPOS is to steal credit card details from the memory of the infected system. Unlike DMSniff, with its advanced domain generation algorithm feature, GlitchPOS contains few functions, such as connecting to the command-and-control server to do the following tasks: register the infected systems, exfiltrate credit card numbers from the memory of the infected system, update the "encryption" key and clean itself. Online services such as Dropbox and Google Drive are at times used by cyber criminals as command-and-control servers.

Verizon’s 2018 Data Breach Investigations Reportfound that the accommodation and food services industry was the hardest sector in terms of remote POS intrusion in 2018, with remote POS breaches 40 times more likely to occur on the accommodation and food services industry compared to other industries.

The 2018 Verizon report added that remote POS intrusions weren’t discovered for months in 96% of cases. They were only discovered via external sources such as detection as a Common Point of Purchase (CPP) or by law enforcement.

In February this year, North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale products, disclosed that nearly 140 of its customers, mostly bars, restaurants, and coffee shops all over the US, have had POS systems infected with malware. 

Causes of Remote POS Intrusions

Here are some of the common causes of remote POS intrusions:

SSH Brute Forcing & Common Exploit Scanners

In the case of DMSniff malware, Flashpoint researchers suspected (with low confidence) that the initial infection could either be SSH brute forcing or common exploit scanners.

In SSH brute forcing, an attacker tries every possible password combination until it cracks the password of SSH, also known as Secure Shell or Secure Socket Shell, a network protocol that gives users, particularly system administrators, a means to access a computer over the internet. Common exploit scanners, meanwhile, are automated tools that are used to test applications and networks against known and new security vulnerabilities.

Supply Chain Attack

Supplier of point-of-sale products North Country Business Products revealed that POS systems of its nearly 140 business clients were infected with POS malware as cyber criminals compromised its IT system and later on planted POS malware on the network of some of its customers.

Lack of Trained Security Staff

Verizon’s 2018 Data Breach Investigations Report, meanwhile, said that businesses in the accommodation and food services industry rely almost exclusively on payment cards for their existence. Despite this reliance, this industry, in particular, restaurants are small organizations that typically don’t have trained security staff.

Good security controls and training will minimize the likelihood of a data breach for your business.

When you need help of experienced cybersecurity professionals, our team is a phone call away. Contact ustoday and protect your business.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit