the latest research on pos malware - rsa conference · 2019-07-26 · • earliest evidence –...

Numaan Huq Trend Micro

The Latest Research on PoS Malware

#RSAC @RSAConference #RSAC @RSAConference



© 2014 EMC Corporation. All rights reserved. 2

Who am I?

•  Senior Threat Researcher •  Trend Micro’s Forward-Looking

Threat Research Team

•  I have been passionately researching PoS RAM Scrapers since early 2011


Agenda

•  Introduction •  PoS RAM Scrapers •  Infect, Scrape, & Exfiltrate •  The Carding Underground •  Defending against PoS RAM Scrapers •  New Credit Card Technologies


Introduction


What is Credit Card crime?

•  The goal is to steal the data stored in the magnetic stripe of the credit card – Tracks 1 & 2 data

•  Clone the card and run charges

•  Criminals typically stole/steal the card data by physically skimming the cards: rubs, rig ATMs & Gas Pumps, modify PoS terminals, etc.


What is PoS RAM Scraping?

•  Software solution for stealing credit card data •  After the merchant swipes the card, the data on the card temporarily

resides in plain text in the PoS software’s process memory – not a vulnerability, but by design

•  PoS RAM scrapers retrieves a list of running processes, load-inspects each process’s memory and searches for card data


A Brief History

•  Earliest evidence – Visa Data Security Alert issued on Oct 2nd, 2008

•  Attempting to install debugging tools on PoS systems

•  Verizon – 2009 Data Breach Investigations Report also introduced this “new” malware in early 2009 together with victim profiles

•  2009, weaponized and targeting the Retail & Hospitality industries


Why do we care?

•  Everyday retailers we all visit are getting targeted

•  Cybercriminals are stealing our credit card data and committing fraud

•  Recently in the news:


Infection Statistics

Collected using Trend Micro’s Smart Protection Network, April-June 2014


PoS RAM Scrapers


Family Tree


Evolution

•  Multi-component •  Single binary •  Networking functionality •  Bot functionality •  Kill switch •  Encryption •  Development Kits •  Multi-exfiltration techniques


Major Families

•  Rdasrv – one of the earliest PoS RAM Scrapers – late 2011

•  Targets food services & hospitality industries – scans for process names of PoS software

•  BlackPOS – one of the most infamous PoS RAM Scrapers

•  Developed by a Russian teenager. Source leaked late-2012 or early-2013 – many variants exist which uses the same codebase


Major Families

•  Alina – introduced many of the functionalities widely copied/replicated by later PoS RAM Scraper families

•  Source code regularly updated – latest known version 6.x

•  Dexter – first PoS RAM Scraper to also install a keylogger

•  Supports a full suite of Bot commands


Major Families

VSkimmer


Major Families

•  Chewbacca – uses the TOR network to exfiltrate data – installs TOR proxy application

•  In addition to scraping RAM, is also a keylogger

•  JackPOS – Alina inspired PoS RAM Scraper – Java themed social engineering

•  Drops a watchdog process which ensures JackPOS is always running


Major Families

•  Decebal – coded in VBScript and then compiled into an executable

•  Audits the victim system for debugging tools and AV

•  Soraya – borrows tricks from ZeuS

•  Similar to ZeuS hooks the NtResumeThread API for process injection – hooks browser function for sending HTTP POST requests


Major Families

•  BrutPOS – attacks systems with open RDP ports and attempts to brute force weak user:password combinations

•  Targets known list of POS software

•  Backoff – Alina inspired PoS RAM Scraper – has infected over a 1000 retailers in recent months

•  Keylogs on the victim and installs a watchdog process


Major Families

•  BlackPOS ver2 – aka FrameworkPOS – compromised Home Depot according to “Krebs on Security”

•  Is a clone of the BlackPOS variant that compromised Target – uses the same multi-stage exfiltration process

•  Pretends to be a component of AV to avoid drawing attention


Infect, Scrape, & Exfiltrate


Infection Methods

•  Inside Job

•  Phishing & Social Engineering

•  Vulnerability Exploitation

•  PCI-DSS Non-Compliance

•  Cyber Attacks


Memory Scraping Techniques

•  Two major methods for iterating processes

–  Use the CreateToolhelp32Snapshot API to list and iterate processes

–  Use the EnumProcesses API to list and iterate processes

•  Use either regular-expression match or custom search routine

•  Blacklists


Data Exfiltration Techniques


Common Characteristics

•  Collects and exfiltrates system information

•  Uses social engineering to avoid drawing attention

•  Bot functionality – talks to a C&C server

•  Single binary as opposed to multiple components


Common Characteristics

•  Uses the CreateToolhelp32Snapshot API to iterate over processes

•  Uses a blacklist to avoid scanning certain processes

•  Uses either a custom search function or regular-expression match to find the card data in RAM

•  Encrypts/encodes the exfiltrated data

•  Uses HTTP POST requests to exfiltrate data


The Carding Underground


Underground Lingo

•  Hackers infiltrate businesses and steal card data

•  They sell the stolen card data in batches called dumps to carders in carding forums

•  Carders are the consumers of stolen card data which they then monetize

•  Carding forums sell both skimmed and scraped card data


Carding Forums


Cards for sale


Monetizing stolen cards

•  First validate the purchased stolen credit card data before attempting to monetize

•  Use in ATMs, vending machines, and gas pumps

•  Use for “card-not-present” transactions e.g. online purchases

•  Use for in-store/in-person purchases


Defending against PoS RAM Scrapers


Discovery Statistics

•  According to Verizon’s Data Breach Investigation Report 2014 in 99% cases involving PoS intrusions an External agency detected the signs of a breach and informed the victim

•  In 98% cases the PoS breach was detected within weeks or months

•  In 87% cases the cybercriminals took seconds or minutes to successfully breach the victim’s PoS network


Discovery

•  This is the most difficult and crucial task – especially in a large organization

•  Monitor for system component changes •  Monitor for unusual traffic activity on named and non-standard ports •  Monitor for new or misconfigured network shares •  Monitor AV, DLP, BDS logs for unusual activities


Prevention Strategies - Hardware

•  Multi-tier hardware Firewalls •  Breach Detection Systems •  IPS/IDS •  Two factor authentication for remote access •  Point-to-point encryption


Prevention Strategies - Software

•  Multi-tier software Firewalls •  Change default settings e.g. passwords, keys, configurations •  Eliminate unnecessary components e.g. accounts, services, protocols •  Disable remote access if not required •  Point-to-point encryption •  Use the latest OS and patch regularly •  Regularly patch installed software •  Restrict access to the Internet on PoS systems


Prevention Strategies - Software

•  Use whitelisting to only allow approved applications to run •  Implement mechanism to notify when system components change •  Automatically reimage every 24 hours •  Restrict communications to only what is required •  Install AV software and regularly update •  Deploy a vulnerability scanner •  Deploy DLP software to discover, monitor, protect, and manage

confidential data


Prevention Strategies - Policy

•  Enforce policy regarding physical access to PoS systems •  Enforce strict policy regarding PoS system repairs & upgrades •  Routinely delete stored cardholder data •  Enforce policy to restrict Internet access on PoS systems •  Implement log and audit trails


Reality

•  Security best practices will make it very difficult for an attacker to breach the network

•  Most attackers will give up and look for easier victims

•  But a determined attacker will eventually find a path in

•  Unfortunately there is no silver bullet


New Credit Card Technologies


EMV & RFID


Realities of EMV

•  Makes creating counterfeit cards more difficult because of Chip

•  Card data still decrypted in RAM

•  Still very much vulnerable to PoS RAM Scraper attacks

•  “Card-not-present” crimes increase

Source: “Chip and PIN is Broken”


Payments via Mobile

•  Payment Tokenization


Questions?

PoS RAM Scraper Malware – Past, Present, and Future whitepaper available at URL:

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf

the latest research on pos malware - rsa conference · 2019-07-26 · • earliest evidence –...

Documents