POS Malware Advances, Outpacing Defenders' Efforts

By Robert Lemos  |  Print this article Print

Despite using fairly common techniques to compromise networks and steal data, attackers targeting point-of-sale systems are regularly sneaking past defenders, according to the latest report from Arbor Networks.

Online thieves are expanding their use of malware to steal credit- and debit-card information from point-of-sale systems, easily defeating many defenders' uneven efforts to keep them out, according to a report released on May 12 by Arbor Networks, a network security firm.

While a variety of different types of malware are popular among digital thieves, most are not that sophisticated and could be detected by vigilant companies, the report stated. Yet, in many of the most public retail breaches, the attacker had access to the victim's network for more than 100 days.

Small companies do not have the security expertise to deal with securing their networks and detecting attacks, while the complexity of large corporate networks makes detecting the signs of an attack more difficult, Curt Wilson, an analyst with Arbor's Security Engineering & Response Team (ASERT), told eWEEK.

"When you are a large organization, it only takes one error in permissions or one error in access controls—all it takes is one hole like that to allow attackers to get in," he said.

The Arbor report describes many of the existing malicious programs that target point-of-sale (POS) systems and the ways that companies can detect the telltale signs of infections by such malware. BlackPOS, well-known for its use in the breach of retailer Target, searches for internal systems and has some specific encryption keys that could tip off IT administrators to its presence. Alina, another popular malware program, uses a 666 response code that, with other indicators, could be a way to detect the program.

The menagerie of malware shows that attacks on POS systems have evolved from simple compromises that exfiltrated card data to memory-scraping malware controlled by botnet infrastructure, Wilson said. Detecting and blocking such attacks should not be difficult, he said.

"I know that innovation gets people's attention, but the same techniques that people have been using for a long time still work," Wilson said. "So companies need to beef up on Security 101."

A sign of the imbalance between defenders and the thieves targeting their systems is the amount of time that attackers are able to stay undetected inside a target's network. While the sheer size of the Target breach led to its detection within 19 days, other breaches took much longer, according to the report. The breach of Neiman Marcus' systems took 107 days to detect, and the breach of Aaron Brothers' POS infrastructure required 147 days.

Arbor warned that companies should focus on looking for signs of compromise among their most sensitive systems, such as POS terminals.

"Organizations of all sizes are encouraged to seriously consider a significant security review of any PoS deployment infrastructure to detect existing compromises as well as to strengthen defenses against an adversary that continues to proliferate and expand attack capabilities," Arbor stated in the report.

Fast detection of breaches and quick incident response are just as important—and it could be argued, more important— than keeping attacks out, Wilson said.

"It is a pipe dream to think that an organization has not been breached or will never be breached," he said. "The ability to detect an incident quickly is important, and having intelligence that gives good context and allows personnel to prioritize activities helps immensely."

Originally published on www.eweek.com.