Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

POS malware mayhem: POS and the return of POS

David Geer | Oct. 2, 2014
Variations, dated versions, resurrections, and how to vanquish them all.

As for these warnings and premonitions, the same could be said for other POS malware including the new Soraya strain, the TOR-based Chewbacca, and Citadel. About any group with the right coding skills could grab one of these, insinuate adds and changes, and launch new attacks using new server addresses.

POS Malware Going Out of Style
TriForce and OG are two POS malware strains that are growing less effective, each with good reason. "We still see TriForce. It was the third most prevalent POS malware in the past year," says Sigler. But TriForce has its weaknesses, stemming largely from a lack of funding. Funding is an issue with lesser POS malware.

While some criminal groups can afford to outsource their code in order to get quality programmers, others cannot. The hackers who wrote TriForce POS coded it in such a way that it eats up more system resources than it should. The lower quality work demonstrates that these hackers didn't have the funding to hire skilled coders. Once the industry became familiar with TriForce and its behaviors, its odds of success diminished.

OG POS is dated. "The OG POS malware family is four years old and has fallen out of fashion," says Sigler. Because they also lacked funding, the criminals who created OG POS built it using the tools that they could most easily access. Though OG suited their needs at the time, it never used encryption to conceal payment card data while they exfiltrated it. DLP programs can recognize the data leaving the enterprise. This weakness contributed to OG POS' ultimate downfall.

How POS malware enters
According to Sigler, criminal hackers are getting POS malware in by using brute force tools such as Medusa or THC-Hydra in automated attacks against the poor login credentials of the third-party vendors that support POS systems remotely. "A lot of businesses buy or rent POS systems and count on those vendors for support," says Sigler. The third-party vendors connect remote desktop software such as LogMeIn, Chrome Remote Desktop, and Apple Remote Desktop to the POS systems they support. These POS system vendors often use easily guessed usernames and passwords with this software, which are the kinds of credentials that brute force tools look for.

To find the remote desktop software and its login pages, hackers scan networks using free, standard OTS tools that do port scanning, looking for live IP addresses where the ports for remote desktop software are open. "They even use botnets to do the scanning for them," says Sigler.

Why POS malware is effective, what to do about it
"These third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn't demonstrate an up-front benefit. They can't say they saved X amount of money by using security. It takes a few successful attacks for them to learn to apply basic security," says Sigler.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.