2018 was welcomed in with quite a power variant of the point of sale (PoS) malware.  In January, security researchers discovered the UDPoS which disguises itself as an update for LogMeIn remote access software. As soon as a PoS terminal is infected with this particular malware, the malware creates a new system service to maintain persistence and then launches an element to monitor for payment card data. The moment it detects any form of payment card data, the malware makes an HTTP request to get the infected system’s external IP address and then goes ahead to exfiltrate that data by generating UDP-based DNS traffic. Interestingly, this malware terminates itself once it detects the presence of any antivirus on the infected system.

Another interesting variant of PoS malware that spread in December 2017 during the holiday season is the ‘GratefulPoS’. This PoS malware uses a simple but rather efficient method to exfiltrate payment data by using DNS queries to a malicious domain and DNS server daemon. By doing this, it could bypass the firewall setup on a seller’s PoS network infrastructure since the compromised PoS system does not have to communicate directly with the internet.  Other interesting variants of the PoS malware that have grown in popularity, usually due to their spread during shopping seasons include FlokiBot, MajikPoS,  AlinaPoS and JackPoS among many others.

What is a PoS Malware and how does it work?

A Point of Sale malware (PoS malware) is a type of memory scrapping malicious software specifically designed to steal sensitive payment card details at the point of a transaction on PoS terminals and systems.  It reads track 2 data from the memory of PoS terminals and is often used by cybercriminals who resell stolen customer data.  The PoS malware was first used to carry out an exploit by cybercriminals in 2005 when a campaign orchestrated by Albert Gonzalez lead to the theft of data for 170 million cards.

PoS malware takes advantage of a security gap in how payment cards work. Usually, the card data is encrypted during authorisation but not when it’s being processed.  Since most PoS systems are windows based, it has become relatively straightforward to create malware that can easily be executed on them and because PoS malware is a memory scrapping malware, it looks for data temporarily in memory. As soon as it finds any, it then saves the data on a file on the PoS which the attacker can then retrieve at a much later date.

Since PoS terminals are ordinarily not connected to the internet but have some connectivity to the corporate network, malicious users then attempt to infiltrate the network first. Typically, this is done by exploiting the vulnerabilities in the outer facing systems of the network such as a SQL injection on the web server. Once that is successful, an attacker then attempts to gain access to the part of the network hosting the PoS system after which they select what data they want to steal and upload to a remote server.

Usually, attackers who exploit a PoS malware attempt to remain as discrete as possible by using various means to cover their tracks.  This can range from scrubbing log files to tampering with any security software installed on the system.

How can I stay Protected?

Most importantly, adopting strong security practices come in really handy for protection against variants of PoS malware and all forms of malware as a whole.  Practices such as using strong passwords, having a proper and updated anti-virus and patching systems and applications can help prevent access to systems by exploiting vulnerabilities present.  Also, having both internal and external firewalls can prevent malicious users from gaining access to the network.

Using multi-layered security solutions and employing application whitelisting alongside system lockdown can easily allow you control user data and the kind of applications that run on your network. Allowing only specific applications to run on the system will make it more difficult for attackers to infect the system with malware.

Finally, business owners have to take a proactive approach to tracking down any form of unusual or unauthorized behaviour. This can be done by constant monitoring of the network.  At Smarttech247 for example, we use the QRadar Security Information and Event Management tool which also incorporates artificial intelligence in its operations through IBM Watson to constantly monitor our clients’ entire network infrastructure for any kind of unusual or anomalous behaviour. Proper visibility will go a long way in detecting all forms of unusual behaviour in your network infrastructure.

At Zero Day Con in Dublin on March 7th, 2018 we will be further discussing best practices and methods for protecting your business against PoS malware and other forms of malware.