POS Threat Evolution: From Skimming to Network-based Attacks

Introduction

Stealing data from credit and debit cards is one of the earliest forms of cybercrime which is still popular among cybercriminals. The payment data are stealthily collected from various POS systems and other sources to sell at a price in the dark web. Any individual with a malicious intention can lay her/his hands on the data and create a cloned card out of it. However, to achieve their twisted goals, cybercriminals rely on stolen card data which is ideally sourced from a database containing card data. One of their favorites include the retail point where a retailer first collects the card data — the Point of Sale (POS) system.

POS threats grew bigger with time

Data leak in a swipe

All hackers need to do to clone a card is to steal the card data. This is possible through a method called skimming — using a hardware named skimmer. The hardware when attached to a POS steals the card data and stores it in the skimmer, which later can be uninstalled to extract the stolen data. However, physical presence is unavoidable to install a skimmer making it hard for a large scale attack.

This fear of data being stolen was later addressed by introducing EMV-based cards that additionally requires a PIN to complete a transaction. Thus, in one sweep all the magnetic stripe skimmers were rendered useless making the new cards much safer and secure against skimmers.

But, in a new twist, researchers have proved through their research that the much-touted EMV cards can also be cloned by placing a shimmer and using a network-connected smartphone.

Rise of network-based attacks

When cybercriminals realized a large scale card data theft can never be achieved via skimmers, they swiftly turned toward stealing data through network-sniffing malware. These malware were capable of intercepting card data during the transit and redirect them to the hackers. Using this approach, a whopping 90 million card records were stolen from retailers in 2014.

To prevent memory scraping, which POSed as a large-scale threat to the POS terminals prompted retailers and security advisors to shift their focus to the POS systems. Memory scraping is a technique where a malware designed to gather information is let loose into a POS system. This malware steals and stores the card data in the terminal’s memory everytime a card is swiped. Later, the stolen information is transmitted to the hackers. Since then many malware were found in the wild. Even the underground market soon was flooded with these new malware selling at a competitive price.

The malware would be sneaked into the POS system via the tried and tested technique — phishing. A phishing mail would be sent to drop that could spread through the network and infect the machine. This will establish a backdoor connection with C2 server, record the card transaction, and save the information in the C2 server.

Transformation of network-based malware

Cybercriminals soon became of the simple and vulnerable card transaction process which involves storing the card data temporarily in plain text in the POS software process’ memory space in the RAM. Now that the low-hanging fruits are for grabs — hackers soon devised a malware dubbed POS RAM scraper and installed on the terminals. The scrapers retrieved a list of running processes and inspected each process’ memory to fetch card data. They can retrieve entire sets of Tracks 1 and 2 of a payment card data.

The earliest evidence of POS RAM scraping found was the Visa Data Security Alert issued on 2 October 2008. Back then, cybercriminals attempted to install debugging tools on POS systems to dump Tracks 1 and 2 credit card data from RAM. In earlier days the retailers or the smaller banks that issued payment cards were not compliant to PCI DSS. Using phishing emails malware were used to infect the devices to abuse PCI DSS standards and steal the card data.

Here we give you a list of a series of malware that evolved in the given order.

Rdasrv

One of the earliest malware found in 2011, was used to harvest card data from the memory. The malware do not typically scan for each process’ memory, whereas it uses RegEX to capture the card data. Both Track 1 and 2 of the magnetic strip will be recorded and stored in plain text in a text file named “data.txt” or “current.txt”. Since rdasrv was the early malware, it did not have data-exfiltration functionality. It was manually retrieved via remote access.

ALINA

Another name for the ALINA malware family is “Trackr.” The malware is updated periodically. Soon after the malware is installed, an updated version of the same malware is checked for and installed before proceeding. 6.x is believed to be the latest version of Alina which inspects running processes in the infected system using CreateToolhelp32Snapshot. This malware scans the system’s memory to check if the contents match regular expressions, which indicate the presence of card information that can be stolen. These are sent to the command-and-control (C&C) server via an HTTP POST command.

vSkimmer

The vSkimmer malware family is easy to obtain for cybercriminals, as a cracked builder and control panel is readily available. As is the case with most information-stealing malware, it uploads any data it captures to its own C&C server. However, if it does not find its server, it has another data exfiltration method. In this method, it checks for the presence of a removable drive with the label “KARTOXA007.” If the drive is found, it drops a file containing any stolen information into it, allowing a method of offline data exfiltration.

Dexter

Dexter is one of the most potent POS malware families in use today, in part because its information theft activities are not limited to just stealing card information. It also steals various system information and installs a keylogger onto affected systems. In a corporate environment, this is particularly dangerous, as this could mean that even corporate information entered into POS systems can be stolen by Dexter. Some Dexter versions are known in the underground as “Stardust” and detected under the DEXTER family.

FYSNA

The FYSNA malware family — also known as “ChewBacca” —  is fairly typical. However, it adds a new wrinkle to POS malware by using the Tor network to communicate with its C&C server in a secure manner. This makes detection and investigation of any breach tougher. This happens by making all of the network traffic generated by the malware extremely difficult to thoroughly analyze.

DECEBEL

The Decebel malware family adds well-defined evasion techniques to POS malware.

Cybercriminals are aware that researchers are looking into this emerging threat and so are accordingly designing their wares. Decebel checks for sandboxing or analysis tools on a machine before executing. It aims to make detection and analysis more difficult — thereby — buying attackers more time before their scheme is eventually discovered and shut down.

BlackPOS

BlackPOS malware holds the record of causing third highest data breach which stole almost 70 million card details. This malware was found in 2012, BlackPOS enumerates all of the processes running on the infected system using the EnumProcesses method and scans the process memory for Tracks 1 and 2 credit card data. Its exfiltration methods made it the most famous POS malware. It can exfiltrate data through email, a executable payload will be downloaded from the C2 server, and the executable file will be a line client email. The collected data will be encrypted and sent through the mail. Exfiltration through FTP, The malware can exfiltrate through FTP without the user’s knowledge by hardcoding the FTP credentials in the binary. Exfiltration through File copy to the C2 server using remote access.

Next Generation POS Malware

The previous generation malware always lend their tactics and features to the next generation of malware. In order for the new malware to be persistent a new set of functionalities would be integrated.

JackPOS

JackPOS is an Alina-inspired POS RAM scraper first identified at the beginning of 2014. Although, it does not share a code base with Alina, JackPOS heavily borrows ideas and functionality from the latter. When first executed, JackPOS installs itself on the %APPDATA% directory. Like Alina, JackPOS maintains a list of socially engineered filenames, all related to Java, and installs itself using a filename from the said list. It then adds itself to an Auto Start runkey to maintain persistence.

Soraya

This custom-packed malware was first discovered in June 2014. Soraya is a Dexter-and-ZeuS-inspired POS RAM scraper. The personalized packaging obfuscates its code and makes it difficult for security researchers to reverse-engineer its binary. When executed, Soraya injects its code into several running processes. It borrowed tricks from ZeuS and hooks the NtResumeThread API, which is called by Windows to execute new processes. It then injects its code into all newly created processes. It also copies itself to the %APPDATA% directory and adds itself to an Auto Start runkey to remain persistent.

ChewBacca

ChewBacca is a POS RAM scraper family, first discovered at the end of 2013, uses the Tor network to exfiltrate stolen data. When first executed, ChewBacca copies itself to %USERPROFILE%\START MENU\Programs\Startup\spoolsv.exe and adds itself to an Auto Start runkey to remain persistent. It is self-contained and installs obfsproxy v0.2.3.25—a Tor proxy application—in %TEMP%. It then hooks WH_ KEYBOARD_LL, which monitors keyboard input events. This allows ChewBacca to capture all keyboard events, which are then logged to %TEMP%\system.log.

BrutPOS

BrutPOS, first discovered in July 2014, appears to have borrowed ideas and functionality from BlackPOS and Rdasrv. The custom-packaging obfuscates its code and makes it difficult for security researchers to reverse-engineer its binary. It attempts to exploit POS systems that use weak or default passwords with open Remote Desktop Protocol (RDP) ports. Note that using weak or default passwords means noncompliance to mandatory PCI DSS requirements for merchants that process credit card transactions. BlackPOS carried out RDP password brute-forcing attacks back in 2013. BrutPOS has adopted this attack strategy to infiltrate systems.

Backoff

Backoff is also an Alina-inspired family of POS RAM scrapers discovered in July 2014. It is custom-packed to obfuscate its code and to make it difficult for security researchers to reverse-engineer its binary. When first executed, it copies itself to %APPDATA%\ORACLEJAVA\javaw.exe. It then launches the copy in %APPDATA% using the -m parameter. This terminates the original Backoff process and deletes the associated file on infected systems’ disk. We have seen Alina use this installation technique. Backoff also adds itself to an Auto Start runkey to remain persistent. It injects a watchdog stub into explorer.exe to ensure that its process constantly runs. If the Backoff process is not running or terminated, the watchdog stub decrypts and reinstalls a stored copy of the malware.

GratefulPOS —  a recent discovery

GratefulPOS is a code mashup of BrickPOS, BlackPOS, TRINITY and FrameworkPOS. It has the ability to scrape the RAM of the POS and send the collected data to ist C2 server.

GratefulPOS has a simple and efficient method of exfiltrating scraped payment card data to the perpetrator by means of DNS queries to a malicious controlled domain and DNS name server daemon. This method can typically bypass firewall and other enclaving set up on a merchant’s POS network infrastructure because the compromised POS system does not need to communicate directly to the Internet. It can just as easily communicate to an internal DNS server on the merchant’s network, which would presumably pass on the card data encoded in the DNS queries to the perpetrator.

The Attack structure of POS devices

Infiltration

This is the initial step by an attacker who tries to gain access to the network. It can be done through many ways, the most common way is spear phishing email with malicious code that could laterally move in the network. The mail could be sent to an individual or set of people in the organization. Alternatively, a weakness in external facing system can be exploited in the network to perform SQL injection attack on the web server, or try to gain access to the system using default password.

Network Traversal

Most of the organizations do not use segmentation in the network that segregates the machines which store or process the cardholder data. In such cases, it finds the target POS systems and then traverses through the system like a worm until its target system is found.

Data-stealing

The ultimate purpose of malware is to steal the data. POS malware will establish a backdoor connection to its C2 server and keeps posting the card details on every transaction is made.

Persistence and Stealth

The attacker needs to collect the card details of every transaction, for this the malware should stay in the terminal for longer duration without being detected by security solutions. It uses a stealth to stay in the memory and do not make any entry in the physical drives to avoid detection.

Exfiltration

After recording each transaction the data should be sent to the attacker. The malware which does ‘memory scraping’ learns the details of the staging server. The server which stores the details of every transaction made by the POS terminal is called as staging server. The malware finds that server and piggybacks the data and resides in the server until a suitable time is found to transmit the data.

Coming soon!

In mid 2017, there was a sudden drop of the price for stolen payment cards, in the meantime there are ransomware attacks reported that not only aimed to extort money to decrypt files, it also disrupted the service.

Like the NHS Ransomware attack in May that disrupted health service for a week, ransomware are potential threats for retail business too. The POS can be attacked by ransomware to disrupt the services — especially — during the holiday season. This not only impacts the revenue of a retail business, but also instills fear in the customers’ minds about the data leak.

IOC

File hashes

• TSPY_POCARDL.BD
• 05492b4f4d6b819d54809ebca0980da133067e89

• TROJ_BANKER.QPA
• 61395ad59bbb111aa2a84ccd1e1cb4da3c38211a

• BKDR_HESETOX.SVC
• df74d626df43247fdcd380bbc37b68f48b8c11d4

• BKDR_HESETOX.SVC
• daee813c73d915c53289c817e4aadaa6b8e1fb96

• TSPY_POCARDL.AJ
• 2440cf33693651458b209b91e05d6466e4dc25dd

• BKDR_HESETOX.SVC
• fb59188d718f7392e27c4efb520dceb8295a794f

• BKDR_HESETOX.SVC
• 06a0f4ed13f31a4d291040ae09d0d136d6bb46c3

• TSPY_BANKER.DPS
• b8c1f7d28977e80550fcbaf2c10b222caea53be8

• BKDR_HESETOX.SVC
• 48db3a315d9e8bc0bce2c99cfde3bb9224af3dce

Since the malware is a code snippet that runs in memory, a registry will be set to run on every system boot to load a particular executable to the memory and run using the PowerShell.

HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Run\java

value: %APPDATA%\java.exe