Threats and Attacks Haunting PoS Systems

A Point of Sale (PoS) system is as vulnerable to cyberattacks as any other processor-based machine. However, now more than ever, it is under greater threat.

What happened?

Researchers have reported a new variant of the Alina malware, which has been active since 2012, lurking around with a new trick for stealing credit and debit card data. This time, it was found using a DNS tunneling method to exfiltrate sensitive information.
  • The malware uses encoded DNS requests and appends them to a domain, as if they were a subdomain, to communicate with attacker-controlled C2 servers.
  • Researchers discovered that Alina used four domains to communicate with the C2 servers over DNS. According to the analysis, “actors often register multiple domains to provide redundancy if one or more of the malicious domains is blocked.”
  • Alina can attack physical PoS devices as well as computers running PoS software.

Nowadays, cybercriminals go above and beyond in their attempts by closely following trends in the evolution of payment processing systems, while also developing specialized malware to steal valuable financial data. Here are some recent incidents:

Ransomware scanning PoS devices

  • The Sodinokibi gang, one of the most notorious ransomware groups, was spotted scanning compromised networks for PoS software in the food and healthcare sectors.
  • Experts opined that this scraped information could be a means of making additional money from campaigns.

Diebold Nixdorf ATMs facing threats

  • ProLock ransomware had targeted Diebold Nixdorf, an ATM maker firm, causing a limited IT system outage.
  • Last month, the Eclypsium researchers reported screwed (vulnerable) drivers in a Diebold Nixdorf ATM model with access to various x86 I/O ports. Attackers with access to those ports can potentially infest systems to read data exchanged between the ATM's central computer and the PCI-connected devices.

Protecting PoS systems

Organizations and businesses conducting transactions via PoS terminals need to be more vigilant to protect their networks.

Software drivers used in many ATM or PoS systems still run on Windows-based devices, some of which lack updates or are completely outdated. For the safety of users’ data, these machines must be replaced or upgraded to the present highest level of security standards. Further, experts advise organizations to monitor DNS traffic for anomalous behavior to prevent attacks looming on their POS software.