FEBRUARY 28, 2014
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Hitting the Data Jackpot

Security for Home Users
Protecting Your Mobile Privacy

Security for Business
Preparing for BYOD in 2014: Enabling Your Mobile Workforce

Security Spotlight

Hitting the Data Jackpot

Though we’re not advising you to throw away your credit and/or debit cards, we think it’s a good idea to start using cash more or only frequent establishments you know take security to heart.”

2014 has just begun but we’ve already seen breach after breach; most of which targeting huge retail stores and even chains. While this proves one of our predictions—we’ll see one major data breach each month—we believe we need to explain why and how breaches occur.

The Targets

Before we get into the how, let’s first discuss what the targets are. Point-of-sale (PoS) systems are used to accept payment and keep track of sales transactions and inventory especially in the retail and hospitality industries. It doesn’t just refer to the cash register or card swiper retailers, hotels, and other shops use; it refers to all of them. These systems are connected to an external network so retailers and shop owners can easily contact banks for card-based (debit or credit) transactions. Many of PoS terminals use some version of Microsoft™ Windows®.

The Attack Tools

Hackers get to PoS systems by using malware like:

  • ALINA: Variants of this malware family scour infected PoS systems’ memory for theft-worthy card information. The malware then send the data they steal to a command-and-control (C&C) server with the aid of HTTP POST commands.
  • Dexter: Variants of this family are reputed to be the most potent and so remain in use today. They steal not only stored credit card data but also information about the systems they infect. They also install a keylogger to maintain persistence.
  • FYSNA: Also known as “Chewbacca,” this is one of the newest PoS malware families. Variants of this family use the Tor network to secure connections to their C&C server, making the culprits behind attacks harder to track.

The Methods

Now, let’s go through the steps attackers take to get their job done based on past incidents we’ve seen over the years:

  • Predeployment: Attackers can compromise PoS devices even before they’re deployed to hotels, shops, and other establishments that need them by getting access to them when they’re still being built in factories. They can either hire a disgruntled factory worker to help them or become factory workers for some time just to set up their attacks. While we haven’t seen specific proof of this, we’ve seen newly purchased devices like digital frames, smartphones, and MP3 players come built with malware.
  • Employee sabotage: Attackers can also infect PoS devices in shops by gaining access to them physically. They can pose as employees of the establishments. Infecting their target devices with malware would be easy since they already have access to these; it’s just a matter of staying undetected.
  • Network communication: Any insufficiently protected Internet-connected system can be vulnerable to online attacks. PoS devices are no exception, especially since most use Windows OSs, which are usual attack targets. They’re just as vulnerable as PCs. They can get infected if any of the other devices in your network are.

The Reasons

We’ll see more data breach incidents because attackers are discovering that it’s more effective to directly steal bulk data from the source. Rather than exerting effort to infect thousands of computers to steal their owners’ email credentials, they only need to hack their email service provider’s network, for example. They stand to get the credentials of the provider’s entire customer base to get what they want. Though doing so is indeed harder to do; the difficulty level of hacking an email service provider’s can be well worth the payout.

The Takeaway

Though you think you’re just a common consumer, the fact that the establishments you buy from or avail the services of may soon be victimized should make you realize what you stand to lose. If they become victims, so will you. But we’re not advising you to throw away your credit and/or debit cards. What we’re saying is it’s a good idea to start using cash more or only frequent establishments you know take security to heart.

Copyright ©2014 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.