PoS Malware and Other Threats to the Retail

IndustryWEBINAR10.2.2014

PATRICK BELCHERDIRECTOR OF SECURITY ANALYTICS

INVINCEA, INC.

Patrick Belcher, CISSP, CISM

2

• Analysis Team manager at Riptech, absorbed by Symantec in 2004. • Helped stand up the US-CERT for the DHS • Lead Cyber Security Analyst for FDIC • RSA/NetWitness• Cyber analysis and numerous Federal

agencies including the State Department and Department of Defense

• Performed incident response and analysis for several fortune 50 companies.

• Invincea- Director of Security and Malware Analytics

Agenda

Thanks for Attending this Webinar! Today we will discuss:

• Why today’s Retail POS systems are at risk• How using relatively simple techniques, cyber criminals

get onto retailer networks and POS machines• How POS malware works in capturing credit card data• How antiquated security architectures and technology put

retailers and customers at risk• How good security architecture and advanced threat

protection tools can defeat these attacks before data is breached.

• How to recognize outdated vulnerable POS endpoints that might expose you to credit card fraud

Brief History of the Cash Register

The Cash Register was invented by a Saloon Operator and had mechanical features to track sales and keep track of totals. The National Cash Register company eventually became NCR, a global leader in financial endpoint transactions.

What is a Point of Sale System?

Modern Cash Registers fully functional Windows operating systems that have all the same vulnerabilities and risks as standard corporate desktop machines.

What is a Point of Sale System?

• POS systems run on a complex network of computers including desktop machines that are vulnerable to exploitation.

• A single click on a corporate machine can compromise the network including POS machines.

POS Malware in the News

Big breaches in the news:• Target• Nieman Marcus• Home Depot• Jimmy Johns• SuperValu• Lots More to Come!!

Brian Krebs broke the story that Home Depot was compromised. Breach detection by 3rd party is the norm.

The scope of the breach of credit card data is likely to exceed Target.

The Department of Homeland Security’s US-CERT sent out an alert on July 31st that over 1,000 retail firms have been breached by BackOff alone.

BackOff POS Malware

• BackOff is not a particularly sophisticated Windows Trojan.

• Recycled Trojan to run on Windows-based POS systems and capture credit card data from memory.

• This memory scraping happens between reading the card and the encryption and transmission of payment data to the processor.

• BackOff variants being detected were known by Anti-Virus vendors. Still to be discovered are the unknown.

BackOff POS Known since Oct 2013

• US-CERT provided hashes for several known variants of BackOFF for retailers to scan their networks. 

• VirusTotal reports that this file was first submitted to its service back in October of 2013. 

• This specific variant also has very good detection among the top AV vendors. 

• HOWEVER EVEN AN UPDATED AV WON’T PROTECT YOU FROM UNKNOWN VARIANTS OF BACKOFF AND RELATED POS MALWARE

VirusTotal Report on BackOff

High Detection by AV Industry

Note that BackOff Reported Oct 2013

Software Compiled on Oct 7, 2013

How POS Malware Steals Data

VirusTotal First Saw it Within 9 days!

Invincea Analysis of BackOff

• File size is only 88 KB in size.

• We analyzed BackOff with Invincea to understand how BackOff behaves on an infected system.

• The malware self-deletes the infector binary and then installs itself as a running service that initializes itself at startup, making it survive a reboot. 

• Trojan is memory-resident, and listens on port 80 for command and control.

• It also hides information about itself by posing as an Adobe Flash Player update in the system registry. 

• For once, malware doesn’t take advantage of a Flash vulnerability, but it tries to pin the blame on it anyways.

Invincea Record of BackOff POS

This version pretends to be Adobe Flash

Latest Variant Record of BackOff POS

Even the most recent variant, called “LAST” by the US-CERT advisory was first seen in VirusTotal on August 10.  This variant, only 77 KB in size, enjoys even greater AV detection than the original sample above. 

FreeSpace sees the activity of an infection like this:

This version pretends to be Java.

How POS Hides from Host Based Detection

• By disguising itself on the local system as Flash Player or Java process, this malware is designed to defeat cursory detection by local administrators, forensics specialists and some registry scanning utilities.

• Once installed, this malware allows for other processes to scrape the active memory for specific routines.

• This malware could be used for other memory scraping purposes, including password stealing.

POS Malware is an End Point Problem

1. Corporate system gets compromised (spearphish, remote access)

2. Beach head system used to scan network3. POS systems identified4. POS systems compromised5. Credit card data scraped from memory (defeats encrypted data

at rest)6. Captured data is archived then exfiltrated out of network

The weak link is vulnerable corporate systems and targeted users.

Securing Retail Networks

Good security design can prevent infections in the first place:

• Isolate POS machines from corporate machines on different network segments

• Lock down port services on POS machines• Minimize remote access, enforce two-factor

authentication• Establish guest networks for contactors/vendors• Protect users from targeted attacks

(spearphishes, malvertising, web-based drivebys)

• Monitor for anomalous network behavior: peer to peer connections, outbound connections from POS/server machines

Advanced Threat Protection

• 95% of all corporate network intrusions begin with a spear-phish or web-based driveby attack

• Protect the network from user’s online actions

• Invincea runs vulnerable applications (email, web browsing, documents) in secure virtual containers

• A user single click that used to compromise networks now provides threat intelligence for security teams

Who are the next Victims?

Size matters:• Take down large franchises first for maximum profitability• Exploit lack of security architectures and advanced threat

protection

As the biggest guys get taken down, attackers will go downstream to smaller retailers. This includes:

• Foodservice chains (Dairy Queen, Jimmy John’s)• Hotel Chains (Bartell)• Grocery Chains (SuperValu)• Gas Stations• Small Banks• Smaller Retail Outlets• Local Restaurants

Enterprises: Get Protected with Invincea!

Each detection shown in this presentation is available for online viewing in the Invincea Research Edition Portal.

Sign up for the Research Edition and get a free licensed copy of Invincea FreeSpace Research Edition. Click without fear.

Invincea Research Edition: www.invincea.com/research-edition

Webinar Recording + Slide deck: www.invincea.com/pos-malware-and-retailer-breaches

Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

Special Thanks and Resources

Special thanks to NCR who published great technical specifications for public consumption.http://www.counterpointpos.com/features/payment-security/http://www.counterpointpos.com/wp-content/uploads/2014/09/NCR-Secure-Pay-White-Paper.pdf

Invincea Blog:http://www.invincea.com/2014/09/analysis-of-backoff-pos-malware-gripping-the-retail-sector-reveals-lack-of-sophistication-in-malware/

USCERT:https://www.us-cert.gov/ncas/alerts/TA14-212A

Brian Krebs:http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/

Q&A Session

Invincea Research Edition: www.invincea.com/research-edition

Webinar Recording + Slide deck: www.invincea.com/pos-malware-and-retailer-breaches

Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

Thank you!

Invincea @Invincea Patrick Belcher @BelchSpeak