What is PoS malware and why does it cost millions

PoS malware is a long-standing problem which caught the public’s attention only recently. It came out with a loud bang: The repercussions of Target’s drastic data breach are still around.

Less than a month ago security vendors reported on yet another Point-of-Sale malware dubbed Backoff. While the malware itself yields enough of a threat to provoke US-CERT alert (i.e. it’s very serious), PoS malware in general is a larger and quite long-standing problem that should not be viewed as just a handful of isolated incidents.

Until the immense breaches happened last year at Target and Neiman Marcus retail chains, the problem of PoS malware wasn’t outright overlooked, but definitely stayed outside of public attention, even though PoS malware actually plagued various businesses since at least 2008. Now infecting the point-of-sale terminals has “gone industrial”: cybercriminals sought for an attack point closest to the other people’s money, and found one.

So what do we deal with? What is the PoS malware? In the most cases, or, even, probably in all of them, the main function of such malware is “RAM scraping” – that is, parsing memory of a Point of Sale terminal to find and steal data in the format of a card number, etc., before it is encrypted – on the device or a server. Unfortunately there is a window of opportunity for such data pilfering. According to Brian Donohue, who has covered PoS malware topic extensively earlier this year, by the time the card-data makes it to payment servers the information has already been encrypted, yet there is a brief period of time, where that information must be decrypted in plain-text for payment authorization purposes (in systems where point-to-point encryption is lacking). And at that time, the cash register itself – or a nearby server depending on the system – stores the plain-text payment data in its random access memory (RAM). This is where PoS malware such as BlackPOS, Backoff, and others come in.

RAM scrapers are generally injected into running processes and can intercept sensitive data from memory in an instant. There are technical complications, of course: for instance, unfiltered data “scraped” from PoS terminals’ RAM – that is full memory dumps – mount up for gigabytes, and moving them “without a fuss” (i.e. “red flag” type anomalies in traffic those are supposed to alert system administrators) seems unfeasible. The less data is transgressed, the less is the risk that the malware is detected and removed. Apparently, the malware is tasked to filter out exactly what criminals are most interested in – Track 1 and Track 2 data, recorded at the magnetic stripe of the card. Referred to as Track 1 data is information associated with the actual account; it includes items such as the cardholder’s name as well as the account number. Track 2 data contains information such as the credit card number and expiration date.

This data is enough to do some remote shopping, unless the card requires extra authorization from its holder, such as PIN input, for every purchase. Newer “Chip and PIN” cards are more resistant to abuse with PoS malware, but are not invulnerable.

Brian Donohue points out that the colossal Target breach was only possible if the attackers entrenched themselves at a certain server with the Target’s payment processing infrastructure.

In the case of Target, it’s likely that the attackers moved their PoS malware from a centrally located and connected server or machine to the point-of-sale terminals or servers on which the authorization process takes place. Otherwise they would have had install their RAM scraper on every single PoS terminal at every single Target location, which, to say the least, is highly unlikely”, Donohue wrote.



Even so, PoS terminals are among the most vulnerable spots in retailers’ infrastructure for a number of technical reasons. First of all, PoS device is nothing special, hardware- and software-wise. While equipped with a cash register and a card reader, it’s essentially the very same PC, especially those all-in-one systems used in larger retailers. And they are based on (almost) general purpose operating systems, such as Windows Embedded or Unix.

2009 edition of Windows Embedded is actually the very same Windows XP adapted for use with PoS terminals and other similar systems. For instance, Windows Embedded for Point of Service operating system released in 2006 is based on Windows Embedded. Later, in 2009 Microsoft released Windows Embedded POSReady, which is also an updated/altered version of Windows XP. In 2011 and 2013 Windows Embedded POSReady 7 and 8 had been released, based on Windows 7 and Windows 8, respectively. But, as one can easily imagine, adoption rate isn’t lightning fast, and many retailers are likely to still use older devices with older software installed. With all those vulnerabilities of Windows XP and other systems, and all susceptibility to malware. The latter is quite numerous, to say the least.

Besides, while Microsoft has already dropped support for Windows XP, the support for Windows Embedded POSReady 2009 is going to last for until 2016. That means, these devices are likely to be used for a long time yet.

And one more thing: since POS devices are actually common computers, they can also be used (and sometimes are used, especially in small businesses) for “general purposes”, including browsing the Web and email. Which means that criminals can sometimes attack these devices directly.

The current security standards recommend, but don’t require, cardholder data environment (CDE) to be isolated from other networks, including the public Web. But since the PoS systems require maintenance, must support systems such as network time protocol servers, and also must allow business and other data to be exported to other systems, complete isolation is impractical or even impossible. In mature retail environments PoS systems are at least segmented from the public Internet, but there are still pathways from and to general corporate network, which can be and is exploited by criminals, who then collect troves of payment card data. Which is later sold on black market.

For the affected businesses it always means huge losses, no matter how large the actual financial damage for the payment card holders (i.e. have people actually lost their money or not): multimillion spending for all kind of damage control, assistance to the victims, whose data is leaked, legal counselling, compensations as a result of possible class-action suits from the clients, technical measures, etc. For Target Corp, the cost of last year’s gargantuan breach was huge financial and reputational losses, besides Chief Information Officer had to resign in March, and in May Target announced that its CEO had also stepped down.

This won’t make the entire corporation to go down. But for smaller businesses incidents like this may prove fatal. And at the same time it is smaller businesses that become the next target of choice for the PoS malware wielding criminals. Why? Because larger retailers learn their lessons, even if the hard way, and raise the security levels. They have resources for this.

For the smaller businesses replacing their PoS devices OS and rearranging their IT infrastructure so that infiltrating the payment processing becomes a discouraging chore for the criminals, may be problematic, and business owners often prefer to cross fingers and take the risks instead of spending resources to protect themselves. However the outcome of such decision may be drastic.

Hackers are well aware that smaller business security is usually weaker, while the people visit smaller shops and pay with the same cards. The troves of payment card data may be smaller, but easier to access, so as soon as larger entities improve their defenses, criminals will switch their attention to smaller targets.

Protective measures that can be recommended:

  • Firewalls for network segmenting, so that PoS systems are isolated from other networks as much as possible;
  • Point-to-point encryption, if possible;
  • Security software with advanced monitoring, vulnerability management and application control capabilities, as well as anti-fraud functions;
  • Restrict the number of people authorized for accessing the CDE, and use two-factor authentication at all entry points.

And of course, the entire infrastructure should be protected to minimize risks of intrusion, and the personnel should be trained regularly in order to prevent phishing attacks and other cybercriminal’s tricks.