The holiday shopping season, which starts around Thanksgiving and ends with post-Christmas sales, is the busiest time of the year for retailers. As businesses get ready for the buying rush that's expected to start when Black Friday and Cyber Monday roll around, retailers are also more likely to be targeted by criminals that are after the data in their Point of Sale systems.
PoS malware, or malware designed to steal customer data from payment cards, has rapidly evolved over the past few years. While they've been found targeting businesses of different sizes, attacks on SMBs accounted for 45 percent of the incidents. The number is likely because small and medium businesses are considered easier targets—at least when compared to enterprises that are likely to have more sophisticated security measures in place.
The numerous retail breaches in the past five years have become a clear indication that PoS malware is a problem for SMBs. In any case, previous breaches should serve as a lesson to all types of organizations as the fallout of such incidents could range from a loss of customer trust and reputation to litigation claims. As the holiday approaches, businesses should be on the lookout for signs of security threats in order to prepare for the shopping frenzy and malicious actors that aim to take advantage of it.
Don’t Gift Your Customers’ Data Away
During the shopping season, with the variety and volume of transactions your business has to deal with, it can be challenging to prevent, or even respond to attacks. In the past, criminals used physical skimmers that steal data from payment cards' magnetic strips. Today, cybercriminals utilize malware for stealing data from credit or debit cards. Fundamentally, the shift and reliance on non-cash payment systems have enabled attackers to target businesses within the financial, hospitality, and retail industries. Based on past incidents, the malware has continually evolved.
In June 2016, FastPoS, a PoS malware, was seen targeting SMBs and enterprises. This particular malware is known for its fast and efficient credit card-stealing capabilities. Recently, FastPoS emerged with newer and faster capabilities—just in time for the retail season.If you’re concerned about protecting your business and customers, you can start at knowing which type of threats to look out for in order to get a better understanding of how you can build a more secure environment for your payment systems.
Key PoS threats
As mentioned earlier, PoS threats grabbed the spotlight in 2014. While the malware type has existed for years, it wasn’t until the Target breach, that a significant wave of retailers started disclosing data breach incidents.
PoS malware have been used to target diverse industries beyond retail, impacting restaurants, airports, and even parking lots. Thanks to its potential for profit, PoS malware has since become a mainstream threat that has been continuously developed and improved to catch up with more complex payment systems. The constant development resulted in different types of PoS malware that have been utilized, updated, and deployed.
Because of its effectiveness, cybercriminals who use PoS malware aren’t likely to slow down. In fact, PoS malware continues to become more widespread as it branches into various malware families. In December 2015, Black Atlas, an operation that utilized different PoS malware, surfaced just in time for the shopping season. The operation was found to be operating since September that year, and had targeted SMBs across the globe in healthcare, retail and other businesses that rely on card payment systems. According to reports, Black Atlas is run by sophisticated cybercriminals, and uses a known botnet for exfiltrating data such as screenshots and passwords.
There are two chief culprits used to capture payment card information:
PoS RAM Scraper
PoS RAM scrapers also target systems that process credit and debit card transactions. Attackers gain access to PoS systems by remotely exploiting computer vulnerabilities via phishing or other social engineering techniques. Once a Point of Sale terminal is infected, the malware captures the payment card information directly from the memory, which it "scrapes" for customer credentials and other sensitive data, which is either used to make fraudulent purchases or sold in underground markets.
In the past, PoS RAM scrapers work by retrieving a list of running processors on infected systems. It then loads and inspect each process’s memory space in the RAM, and searches for credit card data. Today, PoS RAM scrapers are capable of exfiltrating stolen data to remote servers and effectively removing all traces of a breach. The malware can also be further customized for targeted attacks.
The evolution of PoS RAM scraper malwarecan be traced back to around 2008, when RawPoS, an old malware known for debugging PoS system memory. More unique PoS RAM scraper families emerged between 2009 and 2013—all before the explosion of PoS malware in 2014.
PoS RAM scrapers aren’t the only threat affecting payment systems. Other PoS threats come in the form of skimmers where cybercriminals can steal payment data through skimming. This technique essentially involves planting a device called a skimmer into a retailer’s card payment system to pilfer data.
According to research, some SMBs unknowingly buy compromised PoS devices that are preinstalled with skimmers, resulting in the theft of customer payment data each time a transaction is made. Some skimmers are rigged with SMS notification capabilities that send the data to cybercriminals every time the tampered devices are used. Some skimmers also feature PIN pad skimmers that defeat PIN protection layers, even on new payment card tech.
Methods used to infiltrate PoS systems
It has been established that the most convenient place to steal payment card data is from the RAM of PoS systems. As such, cybercriminals are constantly finding and developing ways to infect PoS systems. Some methods include inside jobs, phishing, social engineering, vulnerability exploitation, and non-compliance with PCI DSS guidelines.
The inside job could be a challenging infection vector as it involves people, which could turn out to be your most trusted employee in this scenario. Social engineering tactics and phishing aim for chosen targets as SMBs might be using their PoS terminals to browse the internet or check emails. Attackers know this and lure their targets to click on malicious attachments or links.
The sad reality for many retailers is that they run outmoded or unsupported operating systems and that not all IT admins respond to vulnerability disclosures—which in turn makes their network vulnerable to exploits.
While some retailers might be complacent when it comes to complying with regulations, it’s important to note that failure to abide by policies concerning security—such as conforming to the shift to EMV systems—could also make it easier to infiltrate a retailer's system.
How can you protect your PoS systems?
As the holiday season starts, your business should already be thinking of ways to effectively protect against PoS attacks. Taking the time to reevaluate your PoS security can go a long way in terms of protecting your business and customer data—especially during the busiest time of the year. Here are some tips on how you can defend from PoS threats:
Application whitelisting helps oversee risk management against endpoint attacks, enforces IT policies, and manages employee productivity. Additionally, it allows threat and data policies to be managed across multiple layers of the IT infrastructure.
Comply with PCI security guidelines and new compliance standards – not only will this save you from paying hefty fines, but adhering to new regulations can protect your customers from potential attacks. In October 2015, US merchants started adopting EMV payment technology, which addresses some of the weaknesses that have facilitated PoS malware attacks.
Deploy patches accordingly – always update to the latest version of your operating system and applications, and apply the latest deployed patches.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).