Point-of-Sale Malware Uncovered in Applebee’s Restaurants

RMH Franchise Holdings (RMH), which owns and operates more than 160 Applebee’s restaurants, disclosed on March 2 that malware were uncovered on their point-of-sale (PoS) systems. The incident potentially exposed their customers’ names, credit or debit card numbers, and card verification codes during the time PoS malware infected their systems.

RMH said that it “operates its point-of-sale systems isolated from the broader Applebee’s network,” and that its “notice applies only to RMH-owned Applebee’s restaurants.” Online or self-pay tabletop device payments were not affected. Their report also listed the locations of affected Applebee’s restaurants, which include those in Alabama, Arizona, Texas, Florida, Illinois, Indiana, Kansas, Kentucky, Ohio, Mississippi, Missouri, Nebraska, Oklahoma, Pennsylvania, and Wyoming.

RMH is urging customers who may be affected by the incident to regularly review their financial statements and report any fraudulent activity to law enforcement authorities. RMH also has a dedicated help line (888-764-7357) that they can use.

[RELATED NEWS: Forever 21 Reports PoS Malware Linked to Data Breach]

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” explained RMH in its statement.

[READ: What can hackers do with your stolen identity?]

These threats work by scraping the device’s random access memory (RAM) that stores the customers’ payment card data. These malware often come as seemingly benign programs or applications. Sometimes all it would take for attackers is to hit a vulnerable/unpatched device (or one that doesn’t use encryption), or hack into remote access systems connected to it.

PoS malware such as RawPOS are also typically meshed with other threats such as backdoors and keyloggers to steal as many personally identifiable information (PII) as they can. In the case of MajikPOS, the stolen PII were sold in the cybercriminal underground. Other threat actors use this information as a catalyst for further cyberattacks. 

[INFOGRAPHIC: How to protect point-of-sale systems from malware]

Threats constantly evolve, and when used by tenacious cybercriminals and threat actors, the adverse impact to an organization’s bottom line, reputation, and operations can be significant particularly for companies under the purview of the EU General Data Protection Regulation (GDPR). In 2015, for instance, small and medium-sized businesses accounted for nearly half of PoS malware and skimmer-related incidents.

These highlight the need for organizations to implement a more proactive incident response strategy, especially against threats that are not visible to traditional security solutions. For instance, many PoS malware hide behind encrypted or legitimate network traffic to avoid rousing suspicion. They also piggyback on other vectors such as botnets and hacking tools, as well as incorporate tried-and-tested routines and abuse legitimate mechanisms to further propagate and evade detection. A proactive incident response strategy can also help companies that don’t have the manpower or resources to actively manage and monitor their network and systems.

Businesses should also adopt best practices including:

  • Compliance with the latest Payment Card Industry Data Security Standard (PCI-DSS).
  • Adoption of properly configured chip-and-PIN (EMV) cards.
  • Security across all layers of the infrastructure that stores and handles data, such as remote desktops and endpoints (i.e., using whitelisting and behavior monitoring to block suspicious files and anomalous routines).

Trend Micro Solutions

Trend Micro’s Endpoint Application Control protects PoS devices and significantly mitigates similar attacks by ensuring that only whitelisted applications are allowed to execute. Trend Micro’s Deep Discovery Inspector can be used to determine attempts to perform lateral movement and possible brute-force activity on systems connected to PoS devices. Trend Micro’s advanced endpoint solutions such as Trend Micro™ Smart Protection Suites for enterprises, and Trend Micro™ Worry-Free™ Business Security (for small businesses) provide both detection and blocking of all the related PoS threats, including malicious files and C&C traffic.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.