Downloaded 19 times
![What makes it targeted
2015 CrowdStrike, Inc. All rights reserved.
• [ Quality of Malware ] != Targeted
• Tailored options
( Implants designed to work in one infrastructure)
• Only targets specific PoS terminal types
• Logs to Internal IP addresses
• Forensic countermeasures
• Limited client-side controls*](https://image.slidesharecdn.com/output-150322194042-conversion-gate01/85/The-Shifting-Landscape-of-PoS-MalwareOutput-19-320.jpg)
![Looking Forward
2015 CrowdStrike, Inc. All rights reserved.
• October 2015 Liability Shift
• “ The party that has made investment in EMV deployment is protected from
financial liability for card-present counterfeit fraud losses on this date. If neither
or both parties are EMV compliant, the fraud liability remains the same as it is
today.” [1]
• Tokenization of Payment Methods
• iPay
• Google Wallet
[1]http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/](https://image.slidesharecdn.com/output-150322194042-conversion-gate01/85/The-Shifting-Landscape-of-PoS-MalwareOutput-25-320.jpg)
Uploaded bySilas Cutler
The Shifting Landscape of PoS MalwareOutput
The document discusses the shifting landscape of point-of-sale (POS) malware. It covers the rise of commodity POS malware kits that are cheap and available online. It also discusses targeted breaches like the one against Target in 2013 where tailored malware was used to steal payment card data from their POS systems. Looking forward, the document discusses how the liability shift for EMV compliance in October 2015 and migration to tokenization systems may help address POS payment card theft going forward.
The Shifting Landscape of PoS MalwareOutput
- 1. Silas Cutler: Sr.Security Researcher The Shifting Landscape of PoS Malware
- 2. INTRO 2015 CrowdStrike, Inc.All rights reserved. Current •CrowdStrike - Sr. Security Researcher •Malshare •Project 25499 •RIT Honeynet Project Contact •Twitter : @SilasCutler / @CrowdStrike •Email : Silas.Cutler@Gmail.com / Silas.Cutler@CrowdStrike.com
- 3. AGENDA 1. Technical Overview 2.Rise of the Commodity Brands 3. Targeted Breaches 4. Looking Forward 5. Questions 2015 CrowdStrike, Inc. All rights reserved. The Shifting Landscape of PoS Malware
- 4. Introduction PoS Malware 2015CrowdStrike, Inc. All rights reserved. • Malware designed to steal credit card data from Point-of-Sale (PoS) terminals • PoS Terminals • Out-of-date software • Limited technical support • Appliance mentality • Plug it in and replace it when it breaks
- 5. 2014 Breaches -Short List 2015 CrowdStrike, Inc. All rights reserved. Sally Beauty Michaels Goodwill Dairy Queen UPS SuperValu Home Depot Staples Neiman Marcus Bebe Kmart Albertsons Jimmy Johns P.F. Changes Shaw’s and Star Market …
- 6. Introduction PoS Malware 2015CrowdStrike, Inc. All rights reserved. • Cards sold in online marketplaces. • Often sold in bulk • Payment : Perfect Money / Bitcoin Webmoney / etc • Cards: • US Credit/Debit: $20/each • UK Credit/Debit: $35/each • Bank Logins (BoA): • Balance > $3k = $100 • Balance > $11k = $300 • Cash out schemes / Mules / Sellers and buyers
- 7. 2015 CrowdStrike, Inc.All rights reserved. Technical Overview The Shifting Landscape of PoS Malware
- 8. 2015 CrowdStrike, Inc.All rights reserved. MAGNETIC STRIPS %B6011898748579348^DOE/ JOHN^37829821000123000789? ;6011898748579348=1412101110000000000?* ;011234567890123445=724724100000000000030300XXXX040400099010=******==1=0000000000000000?* ISO / IEC 4909:2006 • Defines standard format for track data on Credit Cards
- 9. 2015 CrowdStrike, Inc.All rights reserved. TRACK DATA Track 1: %B6011898748579348^DOE/ JOHN^14121011000000000000001230000?* Track 2: ;6011898748579348=1412101110000000000?* Index: • % – Start Sentinel • B – Format Code • 6011898748579348 – Card Number • ^ – Field Separator • DOE/ JOHN – Cardholder name • 1412 – Expiration Date (2014 – Dec) • 1100 – Encrypted Pin • 123 – CVV Number • ? – End Sentinel
- 10. MEMORY SCRAPING 2015 CrowdStrike,Inc. All rights reserved. 1. Enumerates Processes – CreateToolhelp32Snapshot() / Process32Next() 2. Open and Read process memory – OpenProcess() / VirtualQueryEx() / ReadProcessMemory() 3. Search for Track Data 4. Validation – Luhn Algorithm / Mod 10 – Expiration Date Check
- 11. 2015 CrowdStrike, Inc.All rights reserved. Rise of the Commodity The Shifting Landscape of PoS Malware
- 12. Commodity PoS Malware 2015CrowdStrike, Inc. All rights reserved. • Highlights • Off-the-shelf kits • Communicate via HTTP request • Price < $1k • Source code for several publicly available • Names: • Alina • Dexter • vSkimmer • Backoff • JackPoS • POSCardStealer
- 13. 2013 CrowdStrike, Inc.All rights reserved. ARCHITECTURE Control Server Infected hosts •Traditional Client / Server architecture – Infected hosts beacon and send data to control server – Replies from server contain status / command instructions •Communicates over HTTP requests •Operator views bots via web portal – Can send some basic commands
- 17. Spreading 2015 CrowdStrike, Inc.All rights reserved. • Brute-forcing Remote Management • User/Password Lists tailored for PoS systems • PcAnyWhere • VNC • Remote Desktop • LogMeIn • Phishing • Vendor Targeting * • Exploitation of Opportunity
- 18. 2015 CrowdStrike, Inc.All rights reserved. Targeted Breaches The Shifting Landscape of PoS Malware
- 19. What makes ittargeted 2015 CrowdStrike, Inc. All rights reserved. • [ Quality of Malware ] != Targeted • Tailored options ( Implants designed to work in one infrastructure) • Only targets specific PoS terminal types • Logs to Internal IP addresses • Forensic countermeasures • Limited client-side controls*
- 20. 2014 Players 2015 CrowdStrike,Inc. All rights reserved. • FrameWork PoS • Called BlackPoS 2.0 by Trend Micro • Limited Distribution • Exfiltration done using SMB shared drives • Hard coded credentials • Contains links to Anti-US websites • Mozart PoS • Limited Distribution • Specifically designed to work against Java based PoS solutions • Designed to look like a PoS remote monitor service from NCR • Contains links to Anti-US websites
- 21. Case Study: Target 2015CrowdStrike, Inc. All rights reserved. • Initial statement released 19 December 2013 • 40 Million Credit Cards stolen • PII for up to 70 Million individuals • Statement stated “criminals forced their way into our system, gaining access to guest credit and debit card information” • Largest hack of a US retailer’s PoS infrastructure
- 22. Case Study: Target 2015CrowdStrike, Inc. All rights reserved. • PoS infrastructure was directly targeted • Malware used was Kaptoxa (mmon) • Part of BlackPoS malware • Traces back to 2010 • Data pushed stolen data to an internal drop-site • Used credentials to authenticate to internal SMB file store • leveraged stolen HVAC credentials • Internal Drop-sites exfiltrated data to external FTP server • Adversary may have known sensitive details about Target’s infrastructure
- 24. 2015 CrowdStrike, Inc.All rights reserved. Looking Forward The Shifting Landscape of PoS Malware
- 25. Looking Forward 2015 CrowdStrike,Inc. All rights reserved. • October 2015 Liability Shift • “ The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.” [1] • Tokenization of Payment Methods • iPay • Google Wallet [1]http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/
- 26. 2015 CrowdStrike, Inc.All rights reserved. QUESTIONS The Shifting Landscape of PoS Malware
- 27. YOU DON’T HAVEA MALWARE PROBLEM, YOU HAVE AN ADVERSARY PROBLEM 2015 CrowdStrike, Inc. All rights reserved.