Risks in Retail: New POS Vulnerabilities and Malware

Thu Pham, Information Security Journalist, Duo Security

In 2014, large retailers, franchises and small businesses alike were affected by new vulnerabilities and malware targeting point-of-sale (POS) devices, systems and vendors. One recent vulnerability affecting POS devices and systems was detailed by the US-CERT in its Vulnerability Notes Database.

The Honeywell OPUS Suite (OLE for Retail POS) provides a standard programming interface that allows POS hardware to be easily integrated into retail POS systems for Microsoft Windows operating systems.
Honeywell OPUS suite versions earlier than make it possible for attackers to execute arbitrary code into a targeted user’s browser process—the user needs to visit a website or open a file sent by the attacker in order for the attack to occur. Fortunately, the vulnerability can be avoided by downloading and installing the most recent version of the software from the Honeywell website.

Whether it’s a single phishing email or an entire campaign, getting users to click a link or open attachments is not particularly difficult, a long history of data breaches testifies to this. Phishing attacks are widespread and affect every industry—150,000 JPMorgan Chase customers were hit with phishing emails in a ‘smash and grab’ campaign that attempted to steal their banking credentials in two ways:

  • Asking users to submit their online bank account usernames and passwords
  • Using a spoofed page that redirected users via a malicious iframe that installed the banking Trojan Dyre on a user’s machine

Third-party POS vendors have also been targeted in phishing campaigns, as stolen credentials are used to get access to a provider’s network and larger retail organisations’ networks.

POS Malware Types

While malware can be used against a variety of industries in a variety of ways, a few vulnerability notifications have designated certain types that target the retail industry and POS systems in particular, including:

Name: Backoff
Type: A family of POS malware
Who it affected: Seven POS system providers have confirmed multiple clients were affected and the Secret Service estimates that over 1,000 U.S. businesses were affected
What it does: Scrapes memory for credit card data, logs keystrokes, and connects with command and control servers to send stolen data.
How it’s used: Attackers scan to find users of popular remote desktop solutions, then attempt to brute force the login to get access to administrator or privileged accounts in order to deploy the Backoff POS malware.

Name: BlackPOS, also known as Kaptoxa
Type: A POS malware strain
Who it affected: BlackPOS is said to have been associated with the Target and Home Depot breaches
What it does: This type of malware parses data stored in the memory of specific POS devices, capturing track data stored on a card’s magnetic stripe immediately after it’s been swiped at a terminal.
How it’s used: Attackers get access to a company’s network or servers, typically via stolen credentials. Then they upload BlackPOS to POS machines and set up a control server to collect and deliver stolen data from infected devices.

POS System Best Practices

The US-CERT recommends some standard security best practices for POS system owners and operators to protect customer card data from attackers. Its recommendations include using strong passwords and always changing the default passwords after installing new POS systems. Default passwords on commercial systems can be easily found online.

Another recommendation includes updating POS software applications, which is one way to ensure you’re running the latest and most secure application to guard against known vulnerabilities (if they’re published online, they can be easily exploited).

Exercise control over your IT environment by restricting internet access to POS system computers or terminals to prevent users from exposing sensitive data online, and restrict remote access to POS systems. Attackers can brute force or phish credentials for remote desktop tools that give them full access to POS systems from anywhere in the world.

While the US-CERT also recommends installing firewalls and antivirus, many variants of malicious software and attacks often bypass antivirus detection.  A more effective security tool strengthens access controls such as authentication—two-factor authentication provides another layer of security in addition to your basic primary authentication process (username + password). Two-factor authentication for remote access is a requirement for PCI DSS and best practice for strengthening access security with applications that process payment card data.

To learn more about how to help navigate through some of the new risks in the retail industry, you can check out this free guide that provides an overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.

About Thu Pham
Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo Security, Pham covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Record-pace app sales reinforce urgency of authorities' mobile app privacy push

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Read more: 2014's vulnerability surge left Mac OS, iOS more exposed than Windows

Tags Enex TestLabmalwaredatabaseJPMorgan ChaseCSO AustraliaRisks in RetailPOS vendorsHoneywell OPUS SuitePOS VulnerabilitiesKaptoxa

Show Comments