Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

POS malware mayhem: POS and the return of POS

David Geer | Oct. 2, 2014
Variations, dated versions, resurrections, and how to vanquish them all.

pos machine
Credit: Shutterstock

Don't think for an instant that once POS malware is defeated the first time, it's gone for good. These attacks have a habit of resurrecting themselves, with a lot of help from criminal hackers.

"The U.S. Secret Service and Trustwave researchers identified, analyzed, and named the Backoff POS malware, which has affected at least 1K businesses across the country," says Karl Sigler, Threat Intelligence Manager, Trustwave. But while the security world is buzzing about Backoff POS and the BlackPOS malware that infiltrated Target last year, other POS malware is afoot, evolving, and potentially surging and resurging at any time.

"With each POS malware success--in terms of media coverage and organizational disruption--it's also likely that attackers are contemplating even more aggressive methods of accessing valuable data," says Gregg Aamoth, Co-Founder, POPcodes and former vice president and privacy officer, Macy's, Inc.

With that, CSO opens a sort of "Pandora's Box" of POS malware strains including Dexter, Alina, vSkimmer, TriForce, and OG, examining their ilk, ebb, and flow, and outlining the solution to POS malware attacks.

Old POS malware could be new again
POS malware strains such as Dexter, Alina, and vSkimmer have been the focus of security experts since prior Backoff POS, says Aamoth. Dexter infiltrated systems with stealth, stole process lists, and sorted through memory dumps to acquire payment card data. It further leveraged a command and control server. "Dexter was also the first POS malware family to add a keylogger to its toolset," says Aamoth.

Once security professionals logged Dexter's behaviors and revealed its server domains, it became less effective so long as potential victims took note, plugged holes in security, and updated security technologies that use signatures to recognize known malware behaviors. But Dexter still threatens stores that do nothing and it will almost certainly evolve, successfully applying new behaviors and domains to future attacks.

Alina had a number of capabilities, taking an approach similar to Dexter's. But Alina could update itself while on the infected system, making it more nimble. Though the industry has learned its behaviors, the same rules apply: it is a threat in its known form to those who do nothing, and it can evolve to envelope new behaviors, wreaking havoc again.

The VSkimmer POS malware or virtual skimmer updates firewall rules and makes a number of computer system changes to hide and accommodate itself. It can copy data to a USB drive when the Internet is not available for data transfers. As with other POS malware, if the enterprise doesn't take the necessary mitigation steps, it risks suffering from the current version of this attack. And the enterprise that doesn't do enough to protect itself could remain at risk to future forms of vSkimmer.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.