According to Cisco’s Security Solutions team, there is a new malware family targeting point-of-sale (PoS) systems, infecting machines to scrape memory for credit card information and send the payment card data to servers for harvesting and, likely, resale. This malware, which the group has nicknamed PoSeidon, works like this:
Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PCWorld reported, PoSeidon communicates directly with external servers and can update itself automatically, and also has defenses against reverse engineering.
PoS malware using the “memory scraping” technique also caused the Home Depot and Target data breaches. In the latter, hackers were able to save names, credit card numbers, expiration dates, security codes from the backs of cards and encrypted PINs when at least 40 million customers swiped at in-store registers.
“The new PoSeidon malware has retailers on alert, particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is,” said Andrew Avanessian, EVP of consultancy and technology services at security firm Avecto. “It is also prompting many to ask, what will it take to get ahead of these attacks?”
Avanessian believes the answer is clear: a more defense-in-depth approach to security. “While perimeter technologies like firewalls can prevent against certain types of external attack, it cannot block malware that has already found its way onto endpoints within an organization,” he explained. “With a multi-layered security strategy that incorporates solutions like patching, application whitelisting and privilege management, organizations can more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation.”
As I wrote in the March 2014 issue of Risk Management, the adoption of EMV chip technology presents one of the most promising ways to increase PoS security. Already common in Europe, EMV technology—named for its founders, Eurocard, MasterCard and Visa—utilizes embedded chips that, unlike magnetic strips, make it nearly impossible to counterfeit cards. In Europe, 81% of cards have EMV chips, and countries that have adopted the technology saw sharp declines in credit card fraud. Meanwhile, the United States accounts for 27% of worldwide credit transactions, but sees 47% of card fraud.
As organizations roll-out chip and pin technology across the country, these breaches may start to decline, Avanessian agrees, but he urges a more holistic approach to fighting PoSeidon and other PoS malware. “EMV (or chip-and-pin) will absolutely help stop card fraud, however, retailers should not become complacent and think this is the silver bullet they have been waiting for,” he said. “Yes it will help stop fraud once the details have been stolen, but it does not stop businesses from being breached. Companies gather a huge amount of data about their patrons, such as names and addresses, and this data is still valuable to fraudsters. Unless retails take a multi-layer defense-in-depth approach to security, they will still get breached.”
To prevent consumers from losing and shopping elsewhere, Avanessian believes it is critical to evolve the means of combatting cyberattack just as the means of hacking has changed. “In our experience, retailers are still relying on antiquated ‘detection’-based technologies to keep the bad guys out. They all spent hundreds of thousands of dollars on detection, yet they still get breached,” he said. “The world has changed, the players have changed, cyberattacks are now a trillion dollar industry—the approach has to change.”