Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Shifting Landscape of PoS MalwareOutput

809 views

Published on

2014 was plagued with news breaches involving the payment card processing systems of major retailers such as Target, Home Depot, and UPS. While most financially motivated hacking is done with banking Trojans such as Zeus, Point-of-Sale (PoS) malware has managed to archive a high degree of success and notoriety, while being relatively simplistic in design and untrodden in the malware world. Together, we'll take a look at some of the most well know Point-of-Sale malware families, their technical aspects, and explore a little bit of the underground credit card fraud market.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

The Shifting Landscape of PoS MalwareOutput

  1. 1. Silas Cutler: Sr. Security Researcher The Shifting Landscape of PoS Malware
  2. 2. INTRO 2015 CrowdStrike, Inc. All rights reserved. Current •CrowdStrike - Sr. Security Researcher •Malshare •Project 25499 •RIT Honeynet Project Contact •Twitter : @SilasCutler / @CrowdStrike •Email : Silas.Cutler@Gmail.com / Silas.Cutler@CrowdStrike.com
  3. 3. AGENDA 1. Technical Overview 2. Rise of the Commodity Brands 3. Targeted Breaches 4. Looking Forward 5. Questions 2015 CrowdStrike, Inc. All rights reserved. The Shifting Landscape of PoS Malware
  4. 4. Introduction PoS Malware 2015 CrowdStrike, Inc. All rights reserved. • Malware designed to steal credit card data from Point-of-Sale (PoS) terminals • PoS Terminals • Out-of-date software • Limited technical support • Appliance mentality • Plug it in and replace it when it breaks
  5. 5. 2014 Breaches - Short List 2015 CrowdStrike, Inc. All rights reserved. Sally Beauty Michaels Goodwill Dairy Queen UPS SuperValu Home Depot Staples Neiman Marcus Bebe Kmart Albertsons Jimmy Johns P.F. Changes Shaw’s and Star Market …
  6. 6. Introduction PoS Malware 2015 CrowdStrike, Inc. All rights reserved. • Cards sold in online marketplaces. • Often sold in bulk • Payment : Perfect Money / Bitcoin Webmoney / etc • Cards: • US Credit/Debit: $20/each • UK Credit/Debit: $35/each • Bank Logins (BoA): • Balance > $3k = $100 • Balance > $11k = $300 • Cash out schemes / Mules / Sellers and buyers
  7. 7. 2015 CrowdStrike, Inc. All rights reserved. Technical Overview The Shifting Landscape of PoS Malware
  8. 8. 2015 CrowdStrike, Inc. All rights reserved. MAGNETIC STRIPS %B6011898748579348^DOE/ JOHN^37829821000123000789? ;6011898748579348=1412101110000000000?* ;011234567890123445=724724100000000000030300XXXX040400099010=******==1=0000000000000000?* ISO / IEC 4909:2006 • Defines standard format for track data on Credit Cards
  9. 9. 2015 CrowdStrike, Inc. All rights reserved. TRACK DATA Track 1: %B6011898748579348^DOE/ JOHN^14121011000000000000001230000?* Track 2: ;6011898748579348=1412101110000000000?* Index: • % – Start Sentinel • B – Format Code • 6011898748579348 – Card Number • ^ – Field Separator • DOE/ JOHN – Cardholder name • 1412 – Expiration Date (2014 – Dec) • 1100 – Encrypted Pin • 123 – CVV Number • ? – End Sentinel
  10. 10. MEMORY SCRAPING 2015 CrowdStrike, Inc. All rights reserved. 1. Enumerates Processes – CreateToolhelp32Snapshot() / Process32Next() 2. Open and Read process memory – OpenProcess() / VirtualQueryEx() / ReadProcessMemory() 3. Search for Track Data 4. Validation – Luhn Algorithm / Mod 10 – Expiration Date Check
  11. 11. 2015 CrowdStrike, Inc. All rights reserved. Rise of the Commodity The Shifting Landscape of PoS Malware
  12. 12. Commodity PoS Malware 2015 CrowdStrike, Inc. All rights reserved. • Highlights • Off-the-shelf kits • Communicate via HTTP request • Price < $1k • Source code for several publicly available • Names: • Alina • Dexter • vSkimmer • Backoff • JackPoS • POSCardStealer
  13. 13. 2013 CrowdStrike, Inc. All rights reserved. ARCHITECTURE Control Server Infected hosts •Traditional Client / Server architecture – Infected hosts beacon and send data to control server – Replies from server contain status / command instructions •Communicates over HTTP requests •Operator views bots via web portal – Can send some basic commands
  14. 14. Spreading 2015 CrowdStrike, Inc. All rights reserved. • Brute-forcing Remote Management • User/Password Lists tailored for PoS systems • PcAnyWhere • VNC • Remote Desktop • LogMeIn • Phishing • Vendor Targeting * • Exploitation of Opportunity
  15. 15. 2015 CrowdStrike, Inc. All rights reserved. Targeted Breaches The Shifting Landscape of PoS Malware
  16. 16. What makes it targeted 2015 CrowdStrike, Inc. All rights reserved. • [ Quality of Malware ] != Targeted • Tailored options ( Implants designed to work in one infrastructure) • Only targets specific PoS terminal types • Logs to Internal IP addresses • Forensic countermeasures • Limited client-side controls*
  17. 17. 2014 Players 2015 CrowdStrike, Inc. All rights reserved. • FrameWork PoS • Called BlackPoS 2.0 by Trend Micro • Limited Distribution • Exfiltration done using SMB shared drives • Hard coded credentials • Contains links to Anti-US websites • Mozart PoS • Limited Distribution • Specifically designed to work against Java based PoS solutions • Designed to look like a PoS remote monitor service from NCR • Contains links to Anti-US websites
  18. 18. Case Study: Target 2015 CrowdStrike, Inc. All rights reserved. • Initial statement released 19 December 2013 • 40 Million Credit Cards stolen • PII for up to 70 Million individuals • Statement stated “criminals forced their way into our system, gaining access to guest credit and debit card information” • Largest hack of a US retailer’s PoS infrastructure
  19. 19. Case Study: Target 2015 CrowdStrike, Inc. All rights reserved. • PoS infrastructure was directly targeted • Malware used was Kaptoxa (mmon) • Part of BlackPoS malware • Traces back to 2010 • Data pushed stolen data to an internal drop-site • Used credentials to authenticate to internal SMB file store • leveraged stolen HVAC credentials • Internal Drop-sites exfiltrated data to external FTP server • Adversary may have known sensitive details about Target’s infrastructure
  20. 20. 2015 CrowdStrike, Inc. All rights reserved. Looking Forward The Shifting Landscape of PoS Malware
  21. 21. Looking Forward 2015 CrowdStrike, Inc. All rights reserved. • October 2015 Liability Shift • “ The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.” [1] • Tokenization of Payment Methods • iPay • Google Wallet [1]http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/
  22. 22. 2015 CrowdStrike, Inc. All rights reserved. QUESTIONS The Shifting Landscape of PoS Malware
  23. 23. YOU DON’T HAVE A MALWARE PROBLEM, YOU HAVE AN ADVERSARY PROBLEM 2015 CrowdStrike, Inc. All rights reserved.

×