SlideShare a Scribd company logo

Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

Symantec
Symantec

Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.

Software
1 of 12
Download to read offline
Point of Sale (POS) Malware Easy to Spot, Hard to Stop Darian Lewis Sr. Threat Researcher Managed Security Services SYMANTEC
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolving POS Malware. . . . . . . . . . . . . . . . . . . . 3 Common POS Malware. . . . . . . . . . . . . . . . . . . 4 Alina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 VSkimmer. . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Breaching the Perimeter. . . . . . . . . . . . . . . . . . 8 Mitigation and Best Practices. . . . . . . . . . . . . . 9 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Point of Sale (POS) Malware
SYMANTEC MSS3 Introduction Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached— and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1 This whitepaper takes an in-depth look at: • The evolution of Point-Of-Sale (POS) malware • How attackers breach the organization • What should be done to mitigate breach losses • How to proactively detect POS malware Evolving POS Malware Although the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates. A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to- peer variant of the Zeus malware that has been around since 2007. All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move- ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to do—capture the track information from the magnetic stripe on credit and debit cards. With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac- tion server or payment processor. The identity theft chain then continues with money drained from ac- counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information. 3
SYMANTEC MSS4 Common POS Malware The common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa- tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus: • Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes. • Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa- tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST. • BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via FTP. • BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP. • ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA. • Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP. • Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor- mation. Exfiltration and C2 accomplished via HTTP. • GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system. • JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2. • LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration. • NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST. • RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes. • Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing remote access for exfiltration. • Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks in with hardcoded C2 server and exfiltrates every 5 minutes. • vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2 accomplished via HTTP or USB. 4
SYMANTEC MSS5 SymantecTracks KnownThreatsAsThey EvolveandAppear… …WhilealsoIdentifyingand NullifyingtheIncreasing ProliferationofNewThreats. 2009 2010 2011 2012 2013 2014 2015 Malware Discovery Date RawPOS Observed 2.10.13 AV Detection: 2.18.14 Rdasrv AV Detection: 6.6.14 BrutPos Observed 3.1.14 AV Detection: 3.12.14 BlackPos v2 Observed 8.29.14 AV Detection: 12.19.13 JackPOS Observed 2.1.14 AV Detection: 2.8.14 Backoff Observed 3.20.14 AV Detection: 7.31.14 LusyPOS Observed 12.1.14 AV Detection: 12.12.12 GetMyPass Observed 11.26.14 AV Detection: 11.27.14 Soraya Observed 6.1.14 AV Detection: 6.4.14 Alina(Kaptoxa) AV Detection: 2.10.13 Dexter Observed: 12.11.13 AV Detection: 12.12.12 vSkimmer Observed: 3.21.13 AV Detection: 1.26.13 Decebal Observed: 1.3.114 AV Detection: 9.11.14 NewPoSThings Observed: 9.4.14 BlackPOS (Kaptoxa) AV Detection: 3.29.13 ChewBacca Observed: 10.1.13 AV Detection: 12.18.13 5
SYMANTEC MSS6 Alina Dozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat- tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good news—not many criminals who buy this malware bother to change it. Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run- ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal- ware, linking them in a not yet fully understood way. Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad- dress has been active since August 2013, although it doesn’t appear to have been actively used during the lifetime of this malware. BlackPOS BlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from this server as well. Criminals make the malware as easy to use as possible, even building full-featured ad- min panels as shown in Figure 1 for BlackPOS. Figure 1: BlackPOS admin panel (Source: Group I-B)3 6
SYMANTEC MSS7 VSkimmer VSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami- lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: ‘;?[3-9]{1}[0-9]{12,19}[D=u0061][0-9]{10-30}?? ‘. This malware family uses HTTP to exfil- trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name if no Internet connection is available. The connections to its C2 are easy to see on the network in the form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing ‘|az|#.#.#|#.#.#|text|text|0’. Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal- ing credit and debit card information. Figure 2: VSkimmer bot control panel (Source: McAfee)4 Figure 3: VSkimmer terminal browser (Source: McAfee)4 7
SYMANTEC MSS8 Breaching the Perimeter Malware that targets POS systems relies on many of the same highly effective infection vectors and tech- niques as typical generic malware. Many POS systems are based on widely available commercial operat- ing systems and standard hardware platforms thereby simplifying the development and distribution of POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low barrier to entry for criminals. The following represent some of the most common infection vectors facing retailers using POS systems today: Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at- tachment resulting in the compromise of the host computer. Even POS systems without Internet or email functionality are at risk of phishing compromise via proximity to more Internet accessible and infected desktop PCs and servers. Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le- gitimate remote access services already in place. Many POS systems employ remote desktop and remote administrative solutions designed to simplify management. Default or weak credentials are often used by attackers to access POS systems, once discovered on an organization’s network. Such credentials can also be stolen from other infected machines or businesses, including the POS hardware vendors and contrac- tors employed by a retailer. Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza- tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems. Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra- tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice the opportunity to discover POS malware. 8
SYMANTEC MSS9 Mitigation and Best Practices Defending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every level of an organization to minimize the chances of initial infection, malware lateral spread and sensi- tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in securing a business against a POS malware infection and resulting breach. Mitigation Techniques • Harden remote accessibility on POS systems – Proper credential management (implementation of least privilege), disuse of factory default passwords on POS devices, general password complex- ity requirements, disabling of remote access services where possible and limitation of visibility to remote access interfaces/ports. • Implement endpoint security software and secure configurations – Employ antivirus software and, where applicable, apply application whitelisting. This may catch known malware samples, stop sus- picious behavior and prevent unauthorized applications from executing on a POS system. Systems should also be configured in a manner appropriate for their roles, including the disabling of operat- ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices, startup/registry modifications, etc.). • Train POS system users and limit activity – Systems responsible for the collection of customer financial data should be used only for the intended function; users of these systems should not have Internet access, the ability to read email or a way to execute downloaded programs. Corporate compliance requirements and information security policies should be strictly adhered to on POS systems. • Ensure effective monitoring of all portions of the network – In the event of an attack or compromise, the ability to moni- tor the attack and provide quick incident response will limit sensitive data leakage. Including both POS systems and the surrounding infrastructure in monitoring is crucial. • Employ proper network segmentation and filtering – POS system networks should be segregated from other por- tions of the network, with the intent to limit exposure to both the Internet and unrelated systems. Data loss prevention filtering may also prevent data from being exfiltrated from an organization. • Comply with PCI requirements and security best practices – All customer financial data should be handled according to compliance standards. All sensitive data should be encrypted and sent securely between approved systems. • Keep equipment and payment technology up to date – Obsolete and end-of-life POS equipment should be retired in favor of modern systems with vendor support (i.e., new payment technologies with ad- ditional security measures). “A global Symantec study shows that a major- ity of employees think it is ac- ceptable to transfer corporate data outside the company and they never delete the data, leav- ing it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.”5 – Symantec Feb. 6, 2013 9
SYMANTEC MSS10 Detection Detecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and server systems. However, POS systems face unique challenges when it comes to available security tools. Securing computers and networks is usually accomplished with antivirus, perimeter security devices and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in exploitation and eventual infection. General Detection Mechanisms for POS Systems • Some endpoint antivirus software sensitive to suspicious applications and known malware samples may prevent or complicate infection by an attacker. Such software may block and report this activity to a central security system. • Network traffic monitoring may highlight brute force access attempts, remote access sessions, C2 communications and data exfiltration via anomaly detection. POS systems should be included in monitored network segments and protected by the same devices in place for more traditional systems. Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection • Symantec consumes security intelligence on a wide variety of threats from numerous internal and external locations, sensors and partners around the world. When new POS malware is discovered, detection is implemented quickly on both endpoint products and through the MSS service. • All available indicators of compromise involving POS malware are implemented and alerted for all affected customers. In many cases, historical detects based on stored log data (up to 92 days) are performed to discover previously unknown malware activity. • POS malware signatures released from vendors supported by Symantec MSS are automatically loaded into our system and used to generate incidents. Such detection varies by security device vendor, but is used as often as possible to enhance MSS coverage. • All malware families listed in this report are represented in current MSS signature sets. They are updated constantly as new malware samples and attack infrastructure are discovered. As these malware variants and their creators evolve, both Symantec and other security vendors continuously release new indicators of compromise. 10
SYMANTEC MSS11 References 1 Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01 2 Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf 3 Exclusive–Details on Investigation of Group-IB on New Age of POS Malware http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716 4 VSkimmer Botnet Targets Credit Card Payment Terminals http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals 5 Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01 11
SYMANTEC Managed Security Services About Symantec Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to www.symantec.com/managed-security-services/ or connect with Symantec at: https://twitter. com/symantecmss. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527-8000 1 (800) 721-3934 Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarksorregisteredtrademarksofSymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. https://twitter.com/symantecmss Visit our blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services

Recommended

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?
Bangladesh Network Operators Group
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 

Recommended

PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?The Post Covid-19 Cybersecurity World - Where Is It Headed?
The Post Covid-19 Cybersecurity World - Where Is It Headed?
Bangladesh Network Operators Group
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
Digital Bond
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
Erfan Mallick
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
Priyanka Aash
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos Endpoint
DeServ - Tecnologia e Servços
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
mjos
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
UzairAhmad81
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 
Ids 001 ids vs ips
Ids 001 ids vs ipsIds 001 ids vs ips
Ids 001 ids vs ips
jyoti_lakhani
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser Protection
Giovanni Giovannelli
 
Project
ProjectProject
ProjectElizabeth Nunez
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
Mustafash79
 
Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14haney888
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
Komal Keshwer
 

More Related Content

What's hot

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
Digital Bond
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guideMatt Ford
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
Erfan Mallick
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
Priyanka Aash
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos Endpoint
DeServ - Tecnologia e Servços
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
mjos
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Positive Hack Days
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
UzairAhmad81
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 
Ids 001 ids vs ips
Ids 001 ids vs ipsIds 001 ids vs ips
Ids 001 ids vs ips
jyoti_lakhani
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser Protection
Giovanni Giovannelli
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
Mustafash79
 

What's hot (19)

Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Intercept X - Sophos Endpoint
Intercept X - Sophos EndpointIntercept X - Sophos Endpoint
Intercept X - Sophos Endpoint
 
Defcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Ids 001 ids vs ips
Ids 001 ids vs ipsIds 001 ids vs ips
Ids 001 ids vs ips
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Sophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser ProtectionSophos Next-Generation Enduser Protection
Sophos Next-Generation Enduser Protection
 
Project
ProjectProject
Project
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 

Similar to Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14haney888
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
Komal Keshwer
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malwarevijay1926
 
wp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scraperswp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scrapersNumaan Huq
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
InnesGerrard
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
Cyphort
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
Symantec
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
Lokesh Bysani
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
CheapSSLsecurity
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
RapidSSLOnline.com
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatRobert Leong
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
IBM Security
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdf
LucaMartins7
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 

Similar to Point of Sale (POS) Malware: Easy to Spot, Hard to Stop (20)

Project Part A & B 10.15.14
Project Part A & B 10.15.14Project Part A & B 10.15.14
Project Part A & B 10.15.14
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
rensomware final ppt
rensomware final pptrensomware final ppt
rensomware final ppt
 
Understanding the POS Malware
Understanding the POS MalwareUnderstanding the POS Malware
Understanding the POS Malware
 
wp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scraperswp-defending-against-pos-ram-scrapers
wp-defending-against-pos-ram-scrapers
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Ransomware
RansomwareRansomware
Ransomware
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
web-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdfweb-security-1215757214755670-9.pdf
web-security-1215757214755670-9.pdf
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 

More from Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
Symantec
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
Symantec
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
Symantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
Symantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
Symantec
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec
 

More from Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 

Recently uploaded

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
varshanayak241
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 

Recently uploaded (20)

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 

Point of Sale (POS) Malware: Easy to Spot, Hard to Stop

  • 1. Point of Sale (POS) Malware Easy to Spot, Hard to Stop Darian Lewis Sr. Threat Researcher Managed Security Services SYMANTEC
  • 2. 2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolving POS Malware. . . . . . . . . . . . . . . . . . . . 3 Common POS Malware. . . . . . . . . . . . . . . . . . . 4 Alina. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 VSkimmer. . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Breaching the Perimeter. . . . . . . . . . . . . . . . . . 8 Mitigation and Best Practices. . . . . . . . . . . . . . 9 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Point of Sale (POS) Malware
  • 3. SYMANTEC MSS3 Introduction Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached— and if you’ll know it happened before you read it in the press along with your customers. The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty. Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1 This whitepaper takes an in-depth look at: • The evolution of Point-Of-Sale (POS) malware • How attackers breach the organization • What should be done to mitigate breach losses • How to proactively detect POS malware Evolving POS Malware Although the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates. A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to- peer variant of the Zeus malware that has been around since 2007. All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move- ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to do—capture the track information from the magnetic stripe on credit and debit cards. With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac- tion server or payment processor. The identity theft chain then continues with money drained from ac- counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information. 3
  • 4. SYMANTEC MSS4 Common POS Malware The common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa- tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus: • Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes. • Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa- tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST. • BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via FTP. • BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP. • ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA. • Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP. • Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor- mation. Exfiltration and C2 accomplished via HTTP. • GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system. • JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2. • LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration. • NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST. • RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes. • Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing remote access for exfiltration. • Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks in with hardcoded C2 server and exfiltrates every 5 minutes. • vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2 accomplished via HTTP or USB. 4
  • 5. SYMANTEC MSS5 SymantecTracks KnownThreatsAsThey EvolveandAppear… …WhilealsoIdentifyingand NullifyingtheIncreasing ProliferationofNewThreats. 2009 2010 2011 2012 2013 2014 2015 Malware Discovery Date RawPOS Observed 2.10.13 AV Detection: 2.18.14 Rdasrv AV Detection: 6.6.14 BrutPos Observed 3.1.14 AV Detection: 3.12.14 BlackPos v2 Observed 8.29.14 AV Detection: 12.19.13 JackPOS Observed 2.1.14 AV Detection: 2.8.14 Backoff Observed 3.20.14 AV Detection: 7.31.14 LusyPOS Observed 12.1.14 AV Detection: 12.12.12 GetMyPass Observed 11.26.14 AV Detection: 11.27.14 Soraya Observed 6.1.14 AV Detection: 6.4.14 Alina(Kaptoxa) AV Detection: 2.10.13 Dexter Observed: 12.11.13 AV Detection: 12.12.12 vSkimmer Observed: 3.21.13 AV Detection: 1.26.13 Decebal Observed: 1.3.114 AV Detection: 9.11.14 NewPoSThings Observed: 9.4.14 BlackPOS (Kaptoxa) AV Detection: 3.29.13 ChewBacca Observed: 10.1.13 AV Detection: 12.18.13 5
  • 6. SYMANTEC MSS6 Alina Dozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat- tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good news—not many criminals who buy this malware bother to change it. Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run- ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal- ware, linking them in a not yet fully understood way. Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad- dress has been active since August 2013, although it doesn’t appear to have been actively used during the lifetime of this malware. BlackPOS BlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from this server as well. Criminals make the malware as easy to use as possible, even building full-featured ad- min panels as shown in Figure 1 for BlackPOS. Figure 1: BlackPOS admin panel (Source: Group I-B)3 6
  • 7. SYMANTEC MSS7 VSkimmer VSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami- lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: ‘;?[3-9]{1}[0-9]{12,19}[D=u0061][0-9]{10-30}?? ‘. This malware family uses HTTP to exfil- trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name if no Internet connection is available. The connections to its C2 are easy to see on the network in the form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing ‘|az|#.#.#|#.#.#|text|text|0’. Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal- ing credit and debit card information. Figure 2: VSkimmer bot control panel (Source: McAfee)4 Figure 3: VSkimmer terminal browser (Source: McAfee)4 7
  • 8. SYMANTEC MSS8 Breaching the Perimeter Malware that targets POS systems relies on many of the same highly effective infection vectors and tech- niques as typical generic malware. Many POS systems are based on widely available commercial operat- ing systems and standard hardware platforms thereby simplifying the development and distribution of POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low barrier to entry for criminals. The following represent some of the most common infection vectors facing retailers using POS systems today: Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at- tachment resulting in the compromise of the host computer. Even POS systems without Internet or email functionality are at risk of phishing compromise via proximity to more Internet accessible and infected desktop PCs and servers. Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le- gitimate remote access services already in place. Many POS systems employ remote desktop and remote administrative solutions designed to simplify management. Default or weak credentials are often used by attackers to access POS systems, once discovered on an organization’s network. Such credentials can also be stolen from other infected machines or businesses, including the POS hardware vendors and contrac- tors employed by a retailer. Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza- tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems. Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra- tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice the opportunity to discover POS malware. 8
  • 9. SYMANTEC MSS9 Mitigation and Best Practices Defending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every level of an organization to minimize the chances of initial infection, malware lateral spread and sensi- tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in securing a business against a POS malware infection and resulting breach. Mitigation Techniques • Harden remote accessibility on POS systems – Proper credential management (implementation of least privilege), disuse of factory default passwords on POS devices, general password complex- ity requirements, disabling of remote access services where possible and limitation of visibility to remote access interfaces/ports. • Implement endpoint security software and secure configurations – Employ antivirus software and, where applicable, apply application whitelisting. This may catch known malware samples, stop sus- picious behavior and prevent unauthorized applications from executing on a POS system. Systems should also be configured in a manner appropriate for their roles, including the disabling of operat- ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices, startup/registry modifications, etc.). • Train POS system users and limit activity – Systems responsible for the collection of customer financial data should be used only for the intended function; users of these systems should not have Internet access, the ability to read email or a way to execute downloaded programs. Corporate compliance requirements and information security policies should be strictly adhered to on POS systems. • Ensure effective monitoring of all portions of the network – In the event of an attack or compromise, the ability to moni- tor the attack and provide quick incident response will limit sensitive data leakage. Including both POS systems and the surrounding infrastructure in monitoring is crucial. • Employ proper network segmentation and filtering – POS system networks should be segregated from other por- tions of the network, with the intent to limit exposure to both the Internet and unrelated systems. Data loss prevention filtering may also prevent data from being exfiltrated from an organization. • Comply with PCI requirements and security best practices – All customer financial data should be handled according to compliance standards. All sensitive data should be encrypted and sent securely between approved systems. • Keep equipment and payment technology up to date – Obsolete and end-of-life POS equipment should be retired in favor of modern systems with vendor support (i.e., new payment technologies with ad- ditional security measures). “A global Symantec study shows that a major- ity of employees think it is ac- ceptable to transfer corporate data outside the company and they never delete the data, leav- ing it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.”5 – Symantec Feb. 6, 2013 9
  • 10. SYMANTEC MSS10 Detection Detecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and server systems. However, POS systems face unique challenges when it comes to available security tools. Securing computers and networks is usually accomplished with antivirus, perimeter security devices and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in exploitation and eventual infection. General Detection Mechanisms for POS Systems • Some endpoint antivirus software sensitive to suspicious applications and known malware samples may prevent or complicate infection by an attacker. Such software may block and report this activity to a central security system. • Network traffic monitoring may highlight brute force access attempts, remote access sessions, C2 communications and data exfiltration via anomaly detection. POS systems should be included in monitored network segments and protected by the same devices in place for more traditional systems. Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection • Symantec consumes security intelligence on a wide variety of threats from numerous internal and external locations, sensors and partners around the world. When new POS malware is discovered, detection is implemented quickly on both endpoint products and through the MSS service. • All available indicators of compromise involving POS malware are implemented and alerted for all affected customers. In many cases, historical detects based on stored log data (up to 92 days) are performed to discover previously unknown malware activity. • POS malware signatures released from vendors supported by Symantec MSS are automatically loaded into our system and used to generate incidents. Such detection varies by security device vendor, but is used as often as possible to enhance MSS coverage. • All malware families listed in this report are represented in current MSS signature sets. They are updated constantly as new malware samples and attack infrastructure are discovered. As these malware variants and their creators evolve, both Symantec and other security vendors continuously release new indicators of compromise. 10
  • 11. SYMANTEC MSS11 References 1 Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01 2 Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf 3 Exclusive–Details on Investigation of Group-IB on New Age of POS Malware http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716 4 VSkimmer Botnet Targets Credit Card Payment Terminals http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals 5 Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01 11
  • 12. SYMANTEC Managed Security Services About Symantec Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion. To learn more go to www.symantec.com/managed-security-services/ or connect with Symantec at: https://twitter. com/symantecmss. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527-8000 1 (800) 721-3934 Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarksorregisteredtrademarksofSymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. https://twitter.com/symantecmss Visit our blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services