POS compromise remains alarmingly prevalent among hotel businesses, restaurants and retailers today. Although security breaches involving point-of-sale terminals received a great deal of mainstream media attention back in 2013 and 2014, attackers continue to target hotels and restaurants with malware-based attacks on POS systems in 2018, still seeking to extract valuable credit card data.
Recent industry reports show that these attacks are successful far too often. According to the 2018 Verizon Data Breach Investigations Report, for instance, 90% of the breaches that have affected hospitality businesses in the past year have involved POS intrusions, and hotels are 100% more likely than the average business to be targeted at payment terminals or POS controllers. And although researchers at Trustwave saw a significant decrease in the total number of incidents affecting POS systems globally, the number of hospitality businesses affected remained high. This trend was primarily due to a shift from large numbers of smaller breaches to fewer high-volume breaches, each affecting more businesses. Attackers are increasingly targeting IT service providers, home and head offices, and hardware platforms—giving them access to data from multiple franchises or organizations with a single successful breach.
PoSeidon Malware: An Ongoing Threat to Point-of-Sale Systems
In March of 2015, experts in Cisco’s Talos Security Intelligence and Research Group gave the name “PoSeidon” to the latest strain of malicious software programs they’d discovered. This family of malware was designed to steal credit card data directly from PoS terminals and exfiltrate it to servers located primarily in Russia for harvesting and resale.
PoSeidon is what’s known as a memory scraper: because all PCI-compliant POS systems must ensure that Secure Sockets Layer (SSL) encryption is used to encode payment card data while it is in transit, PoSeidon tries to gather credit card information while it’s still resident within the POS system’s memory. When a customer swipes her credit card at a POS terminal in order to pay for a restaurant meal or make a retail purchase, the data contained in the card’s magnetic strip is read and then prepared for transmission to the merchant’s payment processor. PoSeidon extracts this data from the POS terminal’s memory in the instant after it has been read—before it is encrypted for transit through the network.
PoSeidon includes other features that allow it to maintain persistence—to survive on systems even if they are rebooted—and to self-update, ensuring that it’s always running its most recent version. And most strains of the malware include a keylogger, which tracks keystrokes and mouse clicks, enabling attackers to collect account information and user credentials for remote administration services such as pcAnywhere or LogMeIn. Such services allow organizations to update, configure, and maintain their POS systems remotely. But with stolen remote-access credentials, attackers can compromise additional POS systems, and ensure the further spread of the malware.
Unlike earlier types of malware targeting POS devices, PoSeidon communicates directly and immediately with exfiltration servers—allowing it to extract card data immediately and in real time, rather than in a single, large-scale batched file, as was common previously.
Familiar But Still Dangerous in 2018
This family of malware has been known to security researchers and industry insiders for over four years. Its components have been catalogued, the order in which it executes processes—and the logic it deploys while doing so—has been documented, and a list of the TLDs and associated IP addresses with which it attempts to communicate has been compiled. And, as security experts at Palo Alto Networks noted soon after its discovery, early versions of the malware weren’t “terribly sophisticated.” Lacking features such as a complex command-and-control system or strong encryption, PoSeidon initially relied on tried-and-true techniques rather than highly innovative attack methods.
Nonetheless, PoSeidon continues to be found in the wild in 2018, and researchers are still observing new versions and updated variants. But the fundamental tactics and techniques relied upon by this malware remain unchanged.
The persistence of this threat—initially said not to be “terribly sophisticated”—raises a number of urgent questions, which need to be taken seriously by all business leaders charged with managing brands whose reputations depend upon the safety of consumer credit card data.
Attackers Continue to Seek Soft Targets
The market for stolen credit card information remains strong. Black market operatives generate billions of dollars in annual revenue by buying and selling stolen card numbers in bulk. Payment card data can be obtained online for as little as $5 to $8 per number, including CVV2 code.
For this criminal activity to remain profitable, however, attackers must focus their efforts on easily accessible sites likely to provide large amounts of data. POS terminals naturally fit the bill. Usually located in public areas and operated by employees who may lack training or a clear understanding of the importance of information security, point-of-sale systems are inherently vulnerable.
Further, many POS systems in operation today are often running older or more vulnerable operating systems, such as Windows XP or Linux. Such systems may no longer be eligible to receive manufacturer-issued updates and patches. Even when patches are available, not all POS systems are updated regularly.
Far too many businesses try to cut costs by failing to upgrade older POS systems or neglecting to install more expensive Secure Card Reader (SCR) systems that encrypt data at the time of swipe.
How to Ensure Safety for Your Business and Customers
Hardware systems lacking end-to-end data protection measures remain prevalent among POS devices. As long as this is the case, it’s vital to adopt an “assume breach” attitude towards the security of your network as a whole. This means taking steps to ensure that typical patterns of user and network behavior are monitored on an ongoing basis, so that any anomalies (like a POS terminal making frequent connections to a DNS server in Russia) are detected rapidly and automatically. It means blocking known malicious IP addresses and domains proactively. And it means relying on threat intelligence that’s regularly updated with the latest insights from open, commercial and governmental sources.
To learn more about how Netswitch’s Secureli advanced threat protection platform can give your hospitality business deep visibility into your network, and protection from POS-based malware attacks, contact us today.