In the wake of Target's massive data breach, Michael Kassner explores the rise of POS malware and botnets.
After the Target data breach, I became curious as to how digital criminals were able to manipulate Point of Sale (PoS) systems without raising red flags. From what I’ve read, it’s surprisingly easy.
Before we dive into what the bad guys can do: let’s take a quick look at a generic PoS system. PoS hardware consists of the device used by customers to swipe their credit or debit card, and the computing equipment electronically attached to the device.
PoS software are the applications that process the data found on the credit or debit card’s magnetic stripe. Key information the software looks for is stored on two tracks:
- Track one: Cardholder’s name and account number
- Track two: Credit-card number and expiration date
Many PoS systems are Windows-based
I am not sure why, but I assumed PoS applications would use proprietary software. But they’re not; most are Windows-based. This blog post from Arbor Networks iterates what that realization means, “PoS systems suffer from the same security challenges that any other Windows-based deployment does.”
They may have the same security challenges, but the Arbor Networks blog touches on why threats targeting PoS systems are more of a concern:
“Potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk.”
I was curious as to why patch deployment would be slow, particularly on mission-critical systems like PoS. A source of mine conversant on PoS systems explained patch deployment is slow or non-existent because of the many government and industry regulations. If a company supplying PoS systems updates or changes their product and the change reaches a certain threshold, it has to go through an approval process.
Another reason for slow patch rollout is management has learned to error on the side of caution when it comes to updates, remembering when it was anyone’s guess whether an update installed correctly, bricked workstations, or brought down mission-critical servers.
Some fallout from the Target data breach has been the acknowledgment that PoS systems are under attack. This US-Cert bulletin from January 2nd mentions:
“For quite some time, cyber criminals have been targeting consumer data entered in PoS systems. In some circumstances, criminals attach a physical device to the PoS system to collect card data. In other cases, cyber criminals deliver malware which acquires card data as it passes through a PoS system.”
The US-Cert quote is an opportunity for me to introduce Dexter. The PoS malware referenced in the bulletin. Researchers, with Arbor’s Security Engineering and Response Team, in early 2013 discovered servers hosting Dexter.
Dexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and two data I mentioned earlier. At a certain point, the infected machine sends the captured data to the attackers’ command and control server. After which the criminals are free to use the information to clone new cards. The unfortunate thing is that as of yet, no one understands how the malware makes its way into the PoS system.
It seems bad guys are not content with their success, deciding to bring their game to the next level—PoS botnets.
This from ArsTechnica:
“Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target PoS terminals.”
Dan Goodin in the ArsTechnica post mentioned that Dexter went through a major revision, and now incorporates botnet malcode. Grouping all the infected machines into a botnet is beneficial in that it allows the bad guys to monitor, in real time, the goings on of all the infected machines. It also allows the bot masters to issue commands that immediately propagate to all member bots. To put it simply, using botnet technology helps the bad guys steal more money, while improving their odds of avoiding detection.
Guidelines to protect PoS systems
Visa took a hard look at Dexter, and came up with some preventative guidelines in this security alert. First, Visa has identified the following domains as ones that are associated with Dexter:
Visa recommends businesses add the above domains in firewall outgoing rule sets. Visa also recommends adding file-integrity monitoring and network-based intrusion detection to PoS systems. They also suggest isolating the PoS system from the rest of the business’s internal network.
Visa and every other source I read mentioned one thing that is paramount to keeping PoS systems secure; and it’s something we looked at early. Keep computers, especially those using Windows operating systems, up-to-date.