Just in time for the busiest shopping and travel (and probably overall credit card use) time of the year, we are seeing a number of new Point-of-Sale (PoS) malware and PoS-related breaches. (Even as I began to write this blog post, I got yet another alert of another PoS malware.)https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iThe new strains of malware, including the Cherry Picker, AbaddonPOS and ModPOS malware, are just the latest evolution in increasingly sophisticated point-of-sale attacks. Well, not all are “latest evolution.” It appears that Cherry Picker has been around since 2011, targeting the food and drink business. But as a Threatpost blog pointed out, the malware has done an amazing job in staying hidden:
According to Eric Merritt, the primary researcher [with Trustwave] who observed the malware, Cherry Picker knows what it wants – and if it can’t find it on the system, it simply exits. The malware has certain configuration files that target processes it expects to be loaded in. Similar to a cherry-picking play in basketball, where a player’s main objective is staying close to the hoop and getting buckets, Cherry Picking malware has one objective – targeting that data.
AbaddonPOS malware was discovered by Proofpoint and is part of another (Vawtrak) infection. As the blog stated, AbaddonPOS is meant to help Vawtrak’s capabilities and expands the entire target surfaces that include PoS terminals.
The ModPOS malware is the one that literally came to my attention as I was typing. I’ve seen it described as “the most sophisticated PoS malware” yet. As InfoSecurity explained it:
As its name suggests, the malware is modular in nature, meaning it can be configured according to its target with various capabilities including keylogger, POS RAM scraper, uploader/downloader and “custom plugins” for things like network reconnaissance.
Jason Tan, CEO & co-founder, Sift Science, added this about ModPOS in an email comment to me:
The discovery of this sophisticated malware underscores how important it is for retailers to adopt the strongest safeguards possible to protect sensitive payment information – and prevent criminals from successfully using this information to commit fraud. This includes practicing end-to-end encryption of customer data, providing EMV card readers in stores, and implementing a real-time anti-fraud solution online to spot card-not-present fraud before it hits.
That part about EMV card readers is especially important, but, particularly where this particular malware is concerned, the researchers are warning that if the EMV readers aren’t using end-to-end encryption now, there is still risk of data being stolen.
Finally, we are seeing the PoS malware in action already this holiday season, as it was announced that PoS terminals at a number of Starwood Hotels were infected with malware and the systems hacked.
For companies that accept credit card payments, EMV readers are part of the security solution, but, as we can see, they aren’t the only solution (especially if they aren’t up and running properly). I wouldn’t be surprised if this is just the tip of the iceberg when it comes to PoS malware. We’ll see this holiday season.
On that note, Happy Thanksgiving to all, and a very safe holiday shopping and travel season.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba