A Hacker’s Almanac


Computer security conceptIt has been nearly one year since the infamous Target breach that took place at the height of the 2013 holiday shopping season, resulting in the digital theft of 70 million consumer credit cards.

And what a year it has been for consumers. In 2014 the disturbing trend of point of sale (POS) breaches in major retailers, and smaller retailers alike, continued unabated.

A recent analysis on RecordedFuture.com serves as a hacker’s almanac. “Many instances of new malicious code introduced more sophisticated capabilities and methods while others shared code and functionality from their predecessors,” they write.

The RecordedFuture.com post focuses on how its open source intelligence can be used to gain insight and provide the “big picture” on this epidemic, concentrating specifically on the following angles:

– Timeline of high-profile retailer breach events occurring over the past 12 months

– Techniques, tactics, and procedures employed by the POS malware used in the breaches

– Clues and insight into the attribution and origins of the POS malware

As the only full-service point of sale provider — from software development to franchise incubator to ongoing support — part of Sintel’s commitment to our customers and business community is to share relevant ideas, information and industry news.

Here are the highlights of “POS Malware Overview for the 2014 Holiday Shopping Season”:

• Headlines for high-Profile POS data breaches for the last year:

– November 29, 2013. “The hackers that infiltrated Target’s point of sale terminals sometime before Black Friday last year were able to steal as many as 70 million credit and debit card records.”

– January 11, 2014. “Neiman Marcus announced that hackers had stolen some credit card information but has since said the attack was limited to fewer than 350,000 accounts.”

– March 17, 2014. “Sally Beauty Holdings confirmed Monday that it fell victim to a data breach, an incident that may have coincided with a project to update.”

– April 18, 2014. “Michaels — the nation’s largest arts and crafts chain — says it has contained a data security breach that could have affected up to 3 million credit cards.”

– August 4, 2014. “P.F. Chang’s China Bistro on Monday said the U.S. Secret Service had alerted the company to a possible credit and debit card security breach at 33 restaurants.”

– August 14, 2014. “SuperValu announced they had experienced a data security breach in June and July.”

– August 20, 2014. “The latest round of data breach revelations began on August 20, 2014, when officials with the United Parcel Service (UPS) confirmed that they had discovered a computer virus at 51 UPS Stores in 24 states.”

– August 20, 2014. “Home Depot confirms payment systems security breach.”

– September 24, 2014. “Jimmy John’s confirmed a payment card breach that affected about 216 of its locations in 40 states.”

– October 11, 2014. “Kmart has announced malicious software was found on their registers and credit and debit card information was stolen.”

• The RecordedFuture.com post contained a timeline summary of techniques, tactics, and procedures used by today’s POS malware:

– Stealing Track 1 and Track 2 information on the magnetic strips of credit cards

– Using HTTP POST request to check for updates

– Command and control capabilities with bot masters

– Code injection for monitoring processes running in memory

– Firewall evasion techniques and HTTP drop and load tactics

– Memory scraping combined with form grabbing functions

– RDP enabled C2 communications

– Brute force password cracking on “weak” terminal passwords

– Scanning for vulnerable RDP enabled windows based payment systems

– Malicious binaries masquerading as media files

– Autorun registry entries to gain persistence

– Malicious code written in Visual Basic to evade detection

– Exfiltration of data via DNS

– Key logging functionality

• RecordedFuture.com’s tracking of recent POS malware activity yields the following observations:

– POS malware is affecting retailers on a global scale.

– Selling stolen payment data on card sites has become a lucrative business for cyber criminals.

– Botnets have become an integral part of the malicious infrastructure and share code with other well-known malicious campaigns such as Zeus and Citadel.

– Some POS malware appears to target specific retail segments, like food and beverage.

– There is likely a larger population of retailers who have been breached without publicly disclosing, and this activity is ongoing and will continue for the foreseeable future.

• The RecordedFuture.com post contained a timeline summary of attribution clues as reported by public web data:

– Dexter has been lurking around since circa 2012, many of the newer variants borrow code and functionality.

– Dexter had a large presence in the Middle East and later made its way to the west, indicating likelihood it may have been authored by a foreign entity.

– BlackPOS was attributed to 17-year-old Russian kid who uses the handle “Ree4.”

– Ree4 has allegedly sold 40 builds of BlackPOS code kits to cybercriminals who are finding a lucrative business selling stolen data on “card shops” like Rescator, Trak2.name, Privateservices.biz and many more are yet to be uncovered.

– The Decebal malware has been linked to coders in Romania.

– Decebal, VSkimmer and JackPOS have allegedly been used by a criminal known as “Rome0,” likely a Romanian cyber criminal or gang of organized cyber criminals.

– FrameworkPOS contained strings and hidden anti-US military messages indicating a possible sponsorship from a nation-state funded threat actor or hacktivist group with different motives.

• Based upon the above timelines and observations, RecordedFuture.com lists the following conclusions:

– Current analysis on POS malware has been a mounting challenge for information security professionals and researchers throughout the global community.

– Each successive breach and new malware strain seems to be closely related or at least bears resemblance to its predecessor.

– RecordedFuture.com believes that a large portion of analysis has been riddled with misattribution and convolution for two reasons. “First, many of the important technical details and indicators remain barricaded behind the red tape of law enforcement investigations, so actual samples of malicious code have been sparse until very recently,” they write. “Secondly, the malware variants being discovered have functional symmetry and structure but are being used by a wide and diverse set of threat actors; some acting alone, others in highly organized fashion and others with clear political and possibly even militant agendas.”

– RecordedFuture.com believes we are dealing with an increasingly sophisticated and well-orchestrated set of adversaries on multiple fronts. This also applies to the broader cyber threat landscape. “One has to wonder if there’s a state-sponsored adversary at play here, intent on disrupting the US economy by dismantling consumer confidence and trust,” they write. “Retailers will have to be vigilant about protecting their consumers’ credit card and other personal data by investing in new payment card technology and manufacturers will need to innovate systems that are less prone to exploitation.”

– RecordedFuture.com says it will take some time for the consumer to regain trust in the wake of these breaches. “Some retailers have already begun to transition, or have publicly stated their plans to upgrade, to the newer and more secure EMV payment systems, also known as chip and PIN,” they write. “This technology has already been widely adopted throughout Europe and while it may help mitigate some of the risk of today’s credit card theft at the terminal, it will by no means be a silver bullet.”

– RecordedFuture.com says retailers will need to couple the adoption of new payment technology with sound security practices, including the acceptance of a more advanced capability to monitor threats and suspicious activity both on the inside and outside world as it pertains to their network traffic.

• RecordedFuture.com lists the following action steps for consumers to protect themselves:

– Understand that deciding to do all your shopping online will not make you immune to credit card theft.

– Keep all of your receipts for no less than a year. Your receipts effectively become a timestamp you can use to cross reference against future retailer public breach disclosures.

– Consider doing business with companies that have already publicly disclosed being breached. This may sound crazy, but consider the possibility they are likely more aware of the threat landscape and are actively engaged in deploying enhanced detection capabilities and refining their mitigation strategies to avoid further public scrutiny. In the end, use your best judgment.

– See what alerting options your bank provides for suspicious transactional activity.

– Don’t be afraid to inquire within. Ask your local retailer what they can share about their mitigation strategy as it pertains to protecting you the consumer from POS malware.
• RecordedFuture.com lists the following action steps for consumers to mitigate a breach:

– Enforce a strict and comprehensive encryption policy on all your transactions.

– Define B2B encryption end-points for your data transaction infrastructure. Know where your encrypted data should go and where it should come from.

– Standardize your encryption algorithms.

– Monitor for deviations from your encryption policy.

– If encrypted traffic is going somewhere outside of your defined policy, you should have an alert setup on a monitoring device to inform you.

– If you see an encryption algorithm in use on your network other than what you have standardized on, you should have an alert setup to inform you.

– Do a manual inspection of your POS terminals at the beginning and end of each shift.

– Look for USB sticks and suspicious panels or devices attached to your payment terminals. There is an active market for stealthily looking card skimmers and they can be tricky to spot in plain sight.
– Enforce strong password policies across your entire corporate network, especially on your payment terminals. Consider using multi-factor authentication if you haven’t already deployed it.

– Consider deploying custom detection content that detects anomalies in HTTP headers along with suspicious looking POST and GET requests, attackers will often communicate in the clear while evading traditional detection.

– Make sure your systems are patched and up-to-date. Consider routine vulnerability scanning and red-team testing.

Read the full RecordedFuture.com post here.

For more insights into point of sale security, check out our related posts, Criminals Hit Their Target, 40 Million Cards Affected, U.S., Canada and Others Hit By POS InfectionsP.F. Chang’s China Bistro Gets Targeted, “Backoff” Tracking Memory, Taking Credit, and Breaking Point Of Sale.

Just as Sintel shares our vast point of sale experience and expertise with startup owners in order to help them make the best decisions from the very beginning, we are happy to share articles, advice and commentary about retail point of sale and security.

Whether you’re a first-time franchise hopeful, a small business owner or an established chain, it’s always smart to stay on top of the latest point of sale best security practices to achieve financial success.

If you are interested in learning more about Sintel’s point of sale systems and how our knowledge and support can impact your future success, call us for a complimentary phone consultation.

Sintel Systems is the only direct to end user full-service provider of tailored Point of Sale systems across retail, restaurant and service industries, including frozen yogurt shopspizzeriassushi restaurantscafés and retail stores.

As a single source for business solutions, our experienced, knowledgeable team negotiates the complex POS landscape for you to enable you to find the right POS system for your business and budget. Hardware – Software – Support

Questions or Comments: Contact us 855-POS-SALES www.SintelSystems.com

Leave a comment