Introduction

A sequence of data breaches suffered by principal US retailers Target and Neiman Marcus has put Americans on alert. A total of more than a hundred million people may have been a victim of a cyber attacks against POS systems in the stores of the two giants.

The attackers used a malware to infect the POS system in the stores and capture credit/debit card data used by customers for Christmas purchases. Which malware was used? Who is behind the attacks, and what is the extent of the data breaches? These are the principal questions made by customers to the IT security community.

The US retailer Target announced a few weeks ago that the extent of the credit card leak was even bigger than what was estimated just after the discovery of the data breach; 70 million customers are victims of the data breach, which exposed customers’ data, including names, mailing addresses, phone number and email addresses.

The disclosure was made a few weeks after the Target retailer confirmed a cyber attack and the theft of approximately 40 million customer debit and credit card records.

The company highlighted in an official statement that customers would have “zero liability” for charges to their cards.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach …This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals,” according to the company’s official statement.

Target immediately started the incident response procedures to secure its customers, publishing updates on the investigation and sending an email to all customers to inform them of the risks related to credit card exposure. The emails sent by Target invite customers to be wary of any mail that requires from them any sort of information, as cyber criminals may already be at work.

Target representatives have confirmed the presence of a malware into the company’s point-of-sale systems used to scrape card and PIN data from the terminals just before it was encrypted. The malicious code used in the Target attack appears to be a variant of the BlackPOS malware according the principal security firms.

Unfortunately the attack against Target isn’t an isolated event; Neiman Marcus confirmed a similar data breach in early 2014. Neiman Marcus has 79 stores and reported total sales of $1.1 billion in the Q4 2013. Also in this case, the data breach was first reported by cybersecurity expert Brian Krebs, the specialist that first confirmed a surge in fraudulent credit and debit charges on cards that had been used at Neiman Marcus stores.

It seems that the attackers were able to penetrate the Neiman Marcus network and they have stolen, in an interval of time that lasted three months, credit and debit card data belonging to 1.1 million customers. According Neiman Marcus, the data breach began in mid-July and ran until the end of October.

A company statement confirmed the use of malware to steal customer information and scrap credit card data from POS systems.

“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively collected or “scraped” credit card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have potentially been visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” the statement reported.

Although Neiman Marcus did not confirm that it suffered a malware-based attack targeting its POS system, the company’s advisory points to a similar attack methodology.

The company is working to inform customers whose cards have been used for fraudulent purchases, but differently from the case of the Target retailer, the company hasn’t provided information on the nature of data leaked and on the number of customer records exposed.

Neiman Marcus spokesperson Ginger Reeder announced that the company does not yet know the cause, size or duration of the data breach, she also added that there is no evidence of a possible impact on those shoppers who purchased from the online stores.

“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

“We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

“The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store,” reported the official statement from the company.

Neiman Marcus was informed in mid-December by its credit card processor, and subsequently it has reported the data breach to law enforcement.

The company apologized to its customers for the incident and confirmed that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores.

Cyber criminal activities are more frequent during the holiday season, experts hypothesized also a possible connection between this data breach and the one occurred to Target retailer.

Are Target and Neiman Marcus two isolated cases?

“Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed,” reported a post by Reuters.

According to the people familiar with the attacks, other smaller breaches occurred at least three other well-known US retailers. At the time I’m writing, Michaels Stores Inc., US-based arts-and-crafts retailer, confirmed it is investigating a possible data breach affecting customer cards.

In the next paragraphs we will deeply analyze POS malware, giving particular attention to BlackPOS malware and the way it was proposed in the underground market.

Dexter Malware

In December 2012, the Israel-based company Seculert revealed to have discovered a malware, dubbed Dexter, used by cyber criminals for parsing memory dumps of POS software and searching for Track 1 / Track 2 credit card data.

Dexter malware was used to infect POS systems at hotels, restaurants and big retailers in 40 countries all over the world, but it was particularly active in the US and the UK.

The Dexter point-of-sale malware is still active in Russia, the Middle East and Southeast Asia, it is just a variant of a family of malicious code used to dump memory at POS systems. Early 2013 Russian company Group-IB detected a new POS malware dubbed “DUMP MEMORY GRABBER” just a few months after the detection of similar agents including vSkymmer and Project Hook.

Colleagues at IntelCrawler, a US-based intelligence firm, have discovered a huge credit card fraud realized with a point-of-sale botnet mainly based on compromised machines belonging to US merchants.

The malware adopted by cybercriminals was able to infect computers hosting POS software and capture data from each payment operation. The malicious software is used to substitute the physical skimmer usually adopted by criminals.

Point-of-sale systems represent privileged targets for cyber crooks; in the majority of cases these systems are not dedicated POS servers and they often are poorly protected.

Figure 1 – ATM Skimmer

In November 2013, just one year after discovery of Dexter, a group of researchers at Arbor Networks found two servers hosting the same Windows-based malware. Arbor Networks senior research analyst Curt Wilson revealed that during monitoring activity, its team saw 533 infected endpoints call back to the command and control infrastructure that are no longer on line.

Security experts identified three different versions of Dexter:

  • Stardust, which substantially represents the original version;
  • Millenium;
  • Revelation, the newest instance that implements data transfer over FTP.

It is not clear when the infection started, nor the technique adopted by criminals, but it is likely that the attack was started with a spear phishing attack that lured victims to compromised websites hosting Dexter malware. Another possibility is that the attackers exploited the knowledge of the default settings of targeted systems after a large scale scanning on the Internet.

The security firm immediately reported the findings to the Financial Services Information Sharing and Analysis Center (FS-ISAC) and to law enforcement.

“The way the attackers had the server set up, we saw credit card data posted to the site … The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing,” said Wilson.

The dumps of credit card data stolen by the malware are then sold on the black market by cyber criminals, and the buyers use them to produced cloned cards.

“This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”

As explained by researchers, the promiscuous use of POS computers is a further reason of concerns:

“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,””That’s a bad practice to pile so much on one system. An attacker with access to credit card data would also have access to anything else the management system has access to,” Wilson said.

Fortunately POS systems could be easily preserved by installing defense systems able to recognize the presence of Dexter variants. The lesson learned is that the number of malware used to steal data from POS will increase in the next months, and incidents that occurred recently in US retailers confirm it.

VSkimmer

It was March 2013 when the security expert Chintan Shah at McAfee security firm published a blog post on the sale of credit card stealing malware in the Russian underground forums. He focused his attention on a discussion about a Trojan for sale, dubbed vSkimmer, that is able to steal credit card information from financial transactions and credit card payments.

vSkimmer is a Windows malware that gathers card readers data directly from a card reader connected to the victim’s system sending it to a remote control server encrypting it (Base64).

The malware gathers following data from the infected POS:

  • Machine GUID from the Registry
  • Local info
  • Username
  • Hostname
  • OS version

Figure 2 – vSkimmer screenshot

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Security experts consider vSkimmer as the successor of Dexter, a popular malware that targeted point-of-sale systems to gather card data during a payment transaction. Dexter was used to steal nearly 80,000 credit card records from payment card data of Subway restaurants in 2012.

In early 2013, security firm Group-IB discovered a new malware that was used to steal data from POS systems. Dubbed DUMP MEMORY GRABBER, it was sold in the underground by a coder using the nickname of Ree[4], an individual that we will meet soon when discussing BlackPOS malware.

DUMP MEMORY GRABBER is written in pure C++ without the use of any additional libraries. It runs on every Microsoft Windows version, including x64 architecture and use mmon.exe for RAM memory scanning on tracks and credit card data. vSkimmer has been circulating in the underground forums since February 2013, and security experts consider it an ongoing project. It is more sophisticated than Dexter, but authors have implemented a more user-friendly GUI.

vSkimmer implements sophisticated detection avoidance features and operates silently, waiting for a named USB device to be attached to the host. After detection, the malware dumps the collected data to the removable device.

“vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.”

The following is an extract from the McAfee post:

“VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist … another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community.”

The malware represents, according to the security community, one of the first examples of malicious code that directly targets card-payment terminals running on Windows machines. The offer of this family of malware in the underground is increasing and model of sale of authors appears very efficient and able to respond to user’s needs. A new generation of malware will attract even more hordes of criminals looking to profit, and the data breach occurred recently demonstrates that.

Investigation on the authors of POS malware

In March 2013 I had the opportunity to speak with Andrey Komarov, former manager at GroupIB and today the CEO at Intercrawler, on the investigation regarding a series of malware-based attacks against POS systems located in the US. He confirmed that cybercriminals started to use specific malware for ATMs and POS for targeted attacks.

There was the suspicion that many attacks were arranged with the help of insiders who have access to the POS to maintain or update its software locally, however, there were observed also a few infections caused by remote attacks on POS working on Windows XP / Windows Embedded with RDP/VNC access or vulnerabilities in ATM networks connected to VPN channels of the banks or GSM/GPRS networks.

As anticipated, one of the most interesting POS malware is DUMP MEMORY GRABBER, commercialized in the underground by Ree[4]. The malware adds itself to the autorun with default timeout in 3 hours and is able to intercept dumps and transfer them through an FTP gateway with the date.

Figure 3 – Dump Memory grabber Admin Panel

The malware was used in targeted attacks against the major US banks, including Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona). The following image is an exclusive screenshot related to thousands of credit cards that were compromised, the screenshot of the «BlackPOS» admin panel, 23th March 2013.

The name BlackPOS derives from the title in Command & Control server that includes the string “BlackPOS”. Ree[4] is not directly responsible for the attack, he has only sold the BlackPOS agent to other cyber gangs from Eastern Europeand other countries. It seems that the ownersof underground credit cards shops “.rescator”, “Track2.name”, “Privateservices.biz” and many others were his clients.


Figure 4 – BlackPOS Admin Panel

The language used by the author is Russian, and another interesting clue is related to the video tutorial posted on the underground by authors that shows a link on the internal messaging system of one of the most famous social networks in Russia – Vkontake.ru, as visible in the image below.

Figure 5 – The author of the following POS malware and the link on theVkontakte profile during the POS malware admin panel demonstration

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

It seems to be that the hacker was communicating with one of his friends through Vkontakte and forgot to close the active Internet browser window. Analyzing the Vkontakte ID (http://vk.com/id93371139), the investigators disclosed the person under the anonymous nickname “Wagner Richard”.

Figure 6 – The author of the malware uses anonymous nickname in Vkontakte for communication with his friends

The hacker mentions the link on the group for orders on DDoS-attacks, which can characterize him as one of the persons involved in an important cybercrime gang.

Figure 7 – Anonymous group the social network for the orders on DDoS attacks (http://vk.com/the_ddos_attack )

Previously, they set up several similar groups related to DDoS attacks, but all of them were banned before.

The above picture reports seven members of the detected cyber criminal group, including the author of the POS malware with nickname “Wagner Richard”. He is acting as administrator of the group.

Figure 8 – The full disclosure of the members. Most of them belong to Russian hacktivism activities related to the Anonymous group, which was actively shown in Russian mass-media during the election of the President.
According to the profiling, the security expert Andrey Komarov said that all the involved hackers are less than 23 years old, which proves that youth is involved into the most of cybercrimes.

“We have found one of the C&C for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue,” said Andrey Komarov, IntelCrawler’s CEO.

After the Attack on Target

After the recent attack against the US retailers, security and intelligences concentrated their effort to identify the criminal organization behind the attack. The intelligence firm IntelCrawler was the first to reveal the identity of the author of BlackPOS/Kaptoxa malware used in the attack against Target and Neiman Marcus retailers, a teenager known in the underground with the pseudonym of Ree[4].

The first sample of malware was created in March 2013, first documented attack based on BlackPOS were in Australia, Canada and the US. The original name for the malicious code was “Kaptoxa” (“potato” – in Russian slang), which then was renamed to “DUMP MEMORY GRABBER by Ree[4]” for forum postings, but the title for Command & Control server maintained the string “BlackPOS”. Ree[4] was the person who sold the BlackPOS code to other cyber criminals from Eastern Europe and other countries.

The malware was detailed in an interesting report issued by iSIGHT Partners. BlackPOS (aka “Memory Form Grabber”, “Dump Memory Grabber”) is a malicious code easily available due to a leaked version of the source code.

The original source code was authored by actor “Ree[4]” (for more information and attribution, see iSIGHTPartners. “Analysis of ‘Dump Memory Grabber’ Point-of-Sale Malware,” Malware Report #13-25113. April 8, 2013; and “Attribution for Russian Actor ‘Ree[4],’ Seller of a Credit card RAM Memory Grabber”, Intel-792666. April 11, 2013)

Figure 9 – Chat with Ree4

IntelCrawler update also anticipated that several other breaches may be revealed soon. The technique to infect POS systems with the memory grabber is consolidated in the cybercrime ecosystem, with poorly configured POS and lack of security best practices (e.g. the use of weak passwords) giving advantages to the cyber criminals.

The Youngster behind the Pseudonym Ree[4]

Security Affairs was within the official source to spot the 23-year-old who developed theBlackPOS malware thanks to the revelations made by Cyber Intelligence firm IntelCrawler.

The author of BlackPOS was known as “Ree[4]” in the underground market researchers at IntelCrawler in a first analysis identified as Sergey Tarasov, but after further investigation they found the right person, a hacker named Rinat Shabayev that has probably collaborated with Sergey Taraspov, who provided him the technical support for the designing of the malicious code.

It seems that Rinat Shabayev, aka Ree[4], and the teen, Sergey Taraspov (initially indicated as the author of BlackPOS malware) have collaborated to design the BlackPOS code, but they aren’t responsible for the data theft at the Target retailer. According the investigation they developed the malicious agent to sell it to other criminal gangs based in Eastern Europe.

Figure 10 – Targeted POS

Rinat Shabayev admitted that he had developed the BlackPOS malware. During the interview he has released to the Russian news agency ‘LifeNews‘ he defended his position, maintaining that the malicious code was developed for security testing purposes, and not to steal data. He confirmed to have received support by another anonymous coder, whom he had met online and who may have added more features to it.

His intention was to sell the exploit and he also remarked to be aware that the malware can be used for malicious purposes too, but he never has thought to conduct any illegal activity as the data theft.

“There is a ready program, I took and wrote to her addition to the data saved in the file and the server failed. It was originally planned to sell the program, most do not use it. And the idea was shared with another person. The program is designed for grabbing data. That is, rather, to copy the credit card data – told Shabayev. – I do not know why this name – “kartohu.” We took this program “kartohu” and finish the addition to it. Online cooperation offered by this program, but I did not want to cooperate, just gave the program and all. If you use this software with malicious intent, you can earn good, but it is illegal. So I do not want to do it, just wrote for sale, not to use it yourself, and let people enjoy it, and they will all conscience,” is the translation from the Russian channel.

Now IT security has a further problem to solve: the BlackPOS is in the wrong hands and millions of people are suffering credit card theft. On the other side, law enforcement will have to judge a young man who professes his innocence and good faith.

Frankly, I believe that the boy is terrified. Both parties, law enforcement and criminal organizations who acquired BlackPOS will give much attention to the confessions of the youngster.

A Close Look at the Malware Used Against Target

Of course, many security firms covered the Target retailer case, and everyone proposed its analysis of the malicious code used by attackers. The hackers used a crimeware kit and they were advantaged from a poorly secured feature built into a software product that was running on the retailer’s internal network.

The Seculert security firm reported that attackers used a control server within the Target network to aggregate the data hoovered up by the malware from the POS systems.

In the first stage of the attack, the criminals infected POS systems in Target stores and extracted credit numbers and sensitive personal details of purchase operations, then, after staying silent for 6 days, the malware started transferring the stolen data to an external FTP server.

“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBs of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack,” reported Seculert.

The malware used by attackers is a customization specifically crafted for the Target intrusion. It was designed to avoid detection by antivirus systems available on the market. The two variants used in the attack were undetectable by all the signature based antivirus listed by VirusTotal.com at the time of the attack.

An analysis conducted by Symantec ThreatExpert suggested that the malware was transferring data from the infected cash register to the server managed by criminals within the Target network as a central repository, which had the internal address of 10.116.240.31.

This was the hunch put forward by the Counter Threat Unit (CTU) of Dell SecureWorks in an analysis that was privately released to some of the company’s clients this week.

Figure 11 -Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks

“Attackers exfiltrate data by creating a mount point for a remote file share and copying the data stored by the memory-scraping component to that share,” “In the previous listing showing the data’s move to an internal server, 10.116.240.31 is the intermediate server selected by attackers, and CTU researchers believe the “ttcopscli3acs” string is the Windows domain name used on Target’s network. The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network,reported the SecureWorks paper.

New Entry – Tor-based Malware to Steal Credit Card Data

The cyber criminals are increasing their interest in malicious code to use in attacks against POS systems. Recently researchers at RSA discovered a new variant of Tor-based malware ChewBacca, which is able to infect point-of-sale stealing credit card data.

One of the most interesting malware recently spotted by experts at Kaspersky Lab is ChewBacca, a Tor-based banking trojan which appeared very attractive for cybercriminals that search for an efficient and hard to detect financial malware. Security researchers at RSA have recently detected a new variant of
ChewBacca, which implements also a stealing credit card capability, a feature that makes it attractive for attacks against POS systems. The use of the Tor network helps bootmasters to hide their control infrastructures, making difficult the eradication of the botnet by law enforcement and security firms. At time I’m writing, it is still unknown how the ChewBacca infection is propagated.

According to RSA, the botnet based on the ChewBacca POS variant is in use against customers of at least 11 countries (including US, Russia, Canada and Australia) since October 25 2013. It is able to steal credit card data with “keylogger” capabilities or dumping the content of the memory of the POS in search for credit card details.

ChewBacca features two distinct data-stealing mechanisms: a generickeylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server,” reports RSA in the blog post.

The bot is able to collect track 1 and track 2 data of payment card during purchases, following a description I provided in my previous post on the malware:

Chewbacca code was compiled with Free Pascal 2.7.1., once executed windows based system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25.

“After execution, the function “P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL” is called, which drops itself as “spoolsv.exe” into the “Startup folder” (e.g. C:Documents and SettingsAll UsersStart MenuProgramsStartup) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware). Tor is dropped as “tor.exe” to the user-s Temp and runs with a default listing on “localhost:9050″.

“The Chewbacca Trojan logs all keystrokes by the user to “system.log” under the user’s local Temp folder and then sends the data back to the botnetcontrollers via Tor anonymity network. Chewbacca also enumerates all running processes and reads their process memory, another characteristic is that the C&C server is a LAMP platform (Linux, Apache, MySQL and PHP).”

The RSA is supporting law enforcement for the investigation on ChewBacca botnet, its experts have localized the C&C servers and are alerting the retailers to the risks related to the dangerous malware. As explained in the post, the retailers need to change their approach to security.

“Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plain text view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors,” states the RSA.

The Expert’s Opinion

From my interview with Andrey Komarov, CEO at InterCrawler Intelligence Firm:

1) There is a serious trend of POS malware incident detection during 2013. How can you explain it?

It is not a secret that point-of-sale malware appeared in 2012 and was used in quite private rounds of cybercriminals and experienced hackers, that’s why it it hard to say that the threat is really new or exotic. From the other side, close to 2012-2013 there was detected more variants of the same malicious code such as Dexter, VSkimmer, BlackPOS/Kartoxa. All of them use the same technique targeted on RAM scrapping.

2) How it is possible to mitigate POS malware threats and to improve retailers’ security?

First of all, you need to make a deep audit of your systems and network environment, as in most cases the intrusions were done using misconfiguration errors in network equipment and insecure remote access to POS Windows-based terminals. US-CERT and Visa Inc. released several advisories about it. Hopefully retailers will pay attention to it. It is important to mention that most of today’s victims are franchised-based and self-owned, that’s why they use different means of network security being the part of the same brand, which makes the situation a bit complicated.

3) What is your prediction for 2013 – will it be a high rising threat or not?

Without any doubts it is serious and a very rapidly developing cyber threat. I assume we will face not only with similar attacks, but more sophisticated ones, using exact zero-days vulnerabilities in point-of-sales systems, as nobody checked them in detail.

Conclusions

The security of POS systems must be carefully managed, because cybercrime is intensificating its action, especially in those countries where credit/debit cards are still based only on the magnetic stripe instead microchip.

In this article we have analyzed the clamorous data branches suffered by US retailers, but we must consider that same attack could target small businesses. That’s why I decided to close this post with suggestions issued by VISA to retailers of every business dimension:

  • Use strong POS Passwords
  • Update Your Software Applications
  • Restrict Internet Use
  • No Remote Access

References

http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/#more-24401

http://securityaffairs.co/wordpress/21141/cyber-crime/target-more-70-million-victims.html

http://securityaffairs.co/wordpress/21161/cyber-crime/target-also-neiman-marcus-retailer-confirmed-data-breach.html

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

http://securityaffairs.co/wordpress/21509/cyber-crime/author-blackpos-malware-professes-innocence-good-faith.html

http://securityaffairs.co/wordpress/21795/malware/tor-based-chewbacca-infect-pos.html

http://securityaffairs.co/wordpress/13292/malware/vskymmer-botnet-a-financial-malware-appears-in-the-underground.html

http://www.seculert.com/blog/2014/01/pos-malware-targeted-target.html

http://securityaffairs.co/wordpress/20605/cyber-crime/target-data-breach-40m-accounts.html

http://media.scmagazine.com/documents/60/kaptoxa_14816.pdf

http://threatpost.com/neiman-marcus-says-1-1m-cards-compromised-in-data-breach/103835

http://securityaffairs.co/wordpress/13213/cyber-crime/exclusive-details-on-investigation-of-group-ib-on-new-age-of-pos-malware.html

http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/