![Page 1: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/1.jpg)
PointofSaleThreatActorAttributionThroughPOSHoneypots
KyleWilhoit
Sr.ThreatResearcher
TrendMicro
![Page 2: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/2.jpg)
Sensitive&Confidential,TrendMicro2016 2
• Spokeatmanyconferencesworldwide,includingBlackhat• Specialize inthreat intelligence,offensivesecurity,andICS• Master’s inComputerScience• Bachelor’s inComputerScience
@lowcalspam
#whoami
![Page 3: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/3.jpg)
Objective…WHOISBEHINDPOS SYSTEMATTACKS
Sensitive&Confidential,TrendMicro2015 3
![Page 4: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/4.jpg)
Sensitive&Confidential,TrendMicro2015 4
Merchant. Goods and services provider that accepts credit card
payments
![Page 5: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/5.jpg)
Sensitive&Confidential,TrendMicro2015 5
Acquiring Bank: Bank that processes and settles a merchant’s
credit card transactions with an issuer
![Page 6: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/6.jpg)
Sensitive&Confidential,TrendMicro2015 6
Issuing Bank: Bank or financial institution that issues credit cards to
consumers
![Page 7: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/7.jpg)
Sensitive&Confidential,TrendMicro2015 7
Payment Services Provider: Third-party service provider that handles payment transactions between merchant’s bank and
acquirers bank
![Page 8: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/8.jpg)
Sensitive&Confidential,TrendMicro2015 8
“Regular”MerchantTransactions
![Page 9: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/9.jpg)
Sensitive&Confidential,TrendMicro2016 9
LargeMerchantTransactions
![Page 10: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/10.jpg)
Sensitive&Confidential,TrendMicro2016 10
WhyAttackPOSSystems?•Oldoperatingsystems
•Multiplecomponents(Network,bot,killswitch)
•Multipleexfil methodssupported
•Generallyunpatched
![Page 11: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/11.jpg)
Sensitive&Confidential,TrendMicro2016 11
POSRAMScraping- CreditCardData
![Page 12: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/12.jpg)
Sensitive&Confidential,TrendMicro2016 12
POSRAMScraping- QuickOverview
![Page 13: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/13.jpg)
Sensitive&Confidential,TrendMicro2016 13
POSRAMScrapingMalware- AFamilyAffair
![Page 14: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/14.jpg)
Sensitive&Confidential,TrendMicro2015 14
![Page 15: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/15.jpg)
POSHoneypotsforIntel
•Totrackactormovement,honeypotwascreated
•Fakecreditcardinformationwasused
•Fakenames/personas
•Fakecompanies
•“Embedded”documents
•ActingasaMerchant
Sensitive&Confidential,TrendMicro2015 15
![Page 16: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/16.jpg)
POSHoneypotsforIntel
Sensitive&Confidential,TrendMicro2015 16
![Page 17: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/17.jpg)
Hardware/Software
•RadiantPOS1220C–MicrosoftEmbeddedXP–MicrosoftEmbeddedPOSReady7–WindowsEmbeddedCompact2013–AlohaPOS
•Additionalvirtualizedenvironments
•Fakecreditcardgenerator
Sensitive&Confidential,TrendMicro2015 17
![Page 18: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/18.jpg)
LegalDisclaimer!
18
![Page 19: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/19.jpg)
FakeCompany
•MLOTCoffeeCompany
•Createdwebsitetoenticeattackers–PrimarilyforusewhenfacingPOSsystemonInternet
Sensitive&Confidential,TrendMicro2015 19
![Page 20: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/20.jpg)
Architecture
Sensitive&Confidential,TrendMicro2015 20
![Page 21: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/21.jpg)
HoneypotConsiderations
•Username:Password–Aloha:Password
•Keptdefaultinstall–DefaultVNCcredentials–UnencryptedVNCconnection–Etc.
•CustomizedtocomefromMLOTCoffeeCompany
Sensitive&Confidential,TrendMicro2015 21
![Page 22: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/22.jpg)
FakeCreditCardGenerator•Pythonscripttogeneratefakecreditnumbersanddumpintomemory,generatingfaketransactions
•Multipleoutputmethodstotargetmanyfamilies– Luhn algorithm–Track1/Track2dumps–Creditcardnumbersbetween13and19digits– Trackdelimiter(^)
•RandomlygeneratedtotrackonUG
Sensitive&Confidential,TrendMicro2015 22
![Page 23: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/23.jpg)
ThreeExecutionLocations
•ExecutemalwaredirectlyonPOSsystem
•Executemalwaredirectlyonbatchprocessor
•HungoffInternetandwait
Sensitive&Confidential,TrendMicro2015 23
![Page 24: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/24.jpg)
ExecutiononPoS System
Sensitive&Confidential,TrendMicro2015 24
![Page 25: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/25.jpg)
Sensitive&Confidential,TrendMicro2015 25
![Page 26: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/26.jpg)
Sensitive&Confidential,TrendMicro2015 26
![Page 27: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/27.jpg)
AnyBites?
Sensitive&Confidential,TrendMicro2015 27
5103997799204658|0519|0175|CharlesBlue|Cupertino|5953CountessDr|95129|CA|US
5529876429582855|0919|058|BarbaraWafer|CollegePark|2087FlaniganOaksDrive|20741|MD|US
5111387990819704|0521|585|LauraDGriffin |Waco |3160HillHaven Drive |76706|TX|US
5446387373227851|0321|244|JamesEvans|LosAngeles|2564KerryWay|90017|CA|US
![Page 28: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/28.jpg)
Sensitive&Confidential,TrendMicro2015 28
![Page 29: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/29.jpg)
PossibleScenariosRegardingSeller
•MayberunningPOSmalwareandsellingharvestednumbers
•Maybepurchasingfullz frommalwareadministrator/author
•Maybetradingforfullz frommalwareadministrator/author
Sensitive&Confidential,TrendMicro2015 29
![Page 30: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/30.jpg)
ExecutiononBatchProcessorSystem
Sensitive&Confidential,TrendMicro2015 30
![Page 31: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/31.jpg)
BatchProcessorConfiguration
•Merchantsstoreanentireday’sauthorizedsalesinabatch.Attheendoftheday,theysendthebatchviaPSPstoacquirersinordertoreceivepayment.
•CanbedoneremotelyorlocallyonPOSsystem
•Forcaseofexercise,usedadifferentPOSsystem–Portugueselanguagesetting
Sensitive&Confidential,TrendMicro2015 31
![Page 32: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/32.jpg)
Sensitive&Confidential,TrendMicro2015 32
![Page 33: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/33.jpg)
Sensitive&Confidential,TrendMicro2015 33
![Page 34: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/34.jpg)
Sensitive&Confidential,TrendMicro2015 34
![Page 35: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/35.jpg)
PossibleScenariosRegardingSeller
•MalwareAuthor/Sellerarelikelynotthesame–MalwareappearstiedtoFighterPOS– Sellerappearstobeunrelated,otherthanBrazilianconnetion
•Couldbeworkingtogether?
•CouldhavetradedcreditcardnumbersonUG
Sensitive&Confidential,TrendMicro2015 35
![Page 36: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/36.jpg)
Sensitive&Confidential,TrendMicro2015 36
![Page 37: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/37.jpg)
HangingOfftheInternet
•Unfortunately,therewasn’tmuchdirectlyrelatedtoPOSexploitation–ThreeloginswithdefaultAlohausername/password
•NoPoS specificmalwareutilized
•Appearstobemostlyskids
•Restofthedatawasallgarbageautomatedscans
Sensitive&Confidential,TrendMicro2015 37
![Page 38: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/38.jpg)
Sensitive&Confidential,TrendMicro2015 38
![Page 39: Point of Sale Threat Actor Attribution Through POS Honeypots · PDF filePoint of Sale Threat Actor Attribution Through POS Honeypots Kyle Wilhoit Sr. Threat Researcher Trend Micro](https://reader031.vdocument.in/reader031/viewer/2022021509/5a9eb5cf7f8b9a0d158bbb5c/html5/thumbnails/39.jpg)
SoWhoCares?
•Mostcriminalsdon’tpre-testbeforesale
•TheymayormaynotbedirectlyresponsibleforthesaleandPOSmalware
•CorrelationbetweenPOSactorsandthesaleofCCnumbers
•Gather“intel”aboutactors/authors
Sensitive&Confidential,TrendMicro2015 39