The document discusses the shifting landscape of point-of-sale (POS) malware. It covers the rise of commodity POS malware kits that are cheap and available online. It also discusses targeted breaches like the one against Target in 2013 where tailored malware was used to steal payment card data from their POS systems. Looking forward, the document discusses how the liability shift for EMV compliance in October 2015 and migration to tokenization systems may help address POS payment card theft going forward.
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
The Shifting Landscape of PoS MalwareOutput
1. Silas Cutler: Sr. Security Researcher
The Shifting Landscape of PoS Malware
2. INTRO
2015 CrowdStrike, Inc. All rights reserved.
Current
•CrowdStrike - Sr. Security Researcher
•Malshare
•Project 25499
•RIT Honeynet Project
Contact
•Twitter : @SilasCutler / @CrowdStrike
•Email : Silas.Cutler@Gmail.com / Silas.Cutler@CrowdStrike.com
3. AGENDA
1. Technical Overview
2. Rise of the Commodity Brands
3. Targeted Breaches
4. Looking Forward
5. Questions
2015 CrowdStrike, Inc. All rights reserved.
The Shifting Landscape of PoS Malware
4. Introduction PoS Malware
2015 CrowdStrike, Inc. All rights reserved.
• Malware designed to steal credit
card data from Point-of-Sale (PoS)
terminals
• PoS Terminals
• Out-of-date software
• Limited technical support
• Appliance mentality
• Plug it in and replace it when it
breaks
5. 2014 Breaches - Short List
2015 CrowdStrike, Inc. All rights reserved.
Sally Beauty
Michaels
Goodwill
Dairy Queen
UPS
SuperValu
Home Depot
Staples
Neiman Marcus
Bebe
Kmart
Albertsons
Jimmy Johns
P.F. Changes
Shaw’s and Star Market
…
6. Introduction PoS Malware
2015 CrowdStrike, Inc. All rights reserved.
• Cards sold in online marketplaces.
• Often sold in bulk
• Payment : Perfect Money / Bitcoin
Webmoney / etc
• Cards:
• US Credit/Debit: $20/each
• UK Credit/Debit: $35/each
• Bank Logins (BoA):
• Balance > $3k = $100
• Balance > $11k = $300
• Cash out schemes / Mules / Sellers and
buyers
7. 2015 CrowdStrike, Inc. All rights reserved.
Technical Overview
The Shifting Landscape of PoS Malware
8. 2015 CrowdStrike, Inc. All rights reserved.
MAGNETIC STRIPS
%B6011898748579348^DOE/ JOHN^37829821000123000789?
;6011898748579348=1412101110000000000?*
;011234567890123445=724724100000000000030300XXXX040400099010=******==1=0000000000000000?*
ISO / IEC 4909:2006
• Defines standard format for track
data on Credit Cards
9. 2015 CrowdStrike, Inc. All rights reserved.
TRACK DATA
Track 1: %B6011898748579348^DOE/ JOHN^14121011000000000000001230000?*
Track 2: ;6011898748579348=1412101110000000000?*
Index:
• % – Start Sentinel
• B – Format Code
• 6011898748579348 – Card Number
• ^ – Field Separator
• DOE/ JOHN – Cardholder name
• 1412 – Expiration Date (2014 – Dec)
• 1100 – Encrypted Pin
• 123 – CVV Number
• ? – End Sentinel
10. MEMORY SCRAPING
2015 CrowdStrike, Inc. All rights reserved.
1. Enumerates Processes
– CreateToolhelp32Snapshot() /
Process32Next()
2. Open and Read process memory
– OpenProcess() / VirtualQueryEx() /
ReadProcessMemory()
3. Search for Track Data
4. Validation
– Luhn Algorithm / Mod 10
– Expiration Date Check
11. 2015 CrowdStrike, Inc. All rights reserved.
Rise of the Commodity
The Shifting Landscape of PoS Malware
12. Commodity PoS Malware
2015 CrowdStrike, Inc. All rights reserved.
• Highlights
• Off-the-shelf kits
• Communicate via HTTP request
• Price < $1k
• Source code for several publicly available
• Names:
• Alina
• Dexter
• vSkimmer
• Backoff
• JackPoS
• POSCardStealer
13. 2013 CrowdStrike, Inc. All rights reserved.
ARCHITECTURE
Control Server
Infected hosts
•Traditional Client / Server
architecture
– Infected hosts beacon and send data
to control server
– Replies from server contain status /
command instructions
•Communicates over HTTP requests
•Operator views bots via web portal
– Can send some basic commands
14.
15.
16.
17. Spreading
2015 CrowdStrike, Inc. All rights reserved.
• Brute-forcing Remote Management
• User/Password Lists tailored for PoS systems
• PcAnyWhere
• VNC
• Remote Desktop
• LogMeIn
• Phishing
• Vendor Targeting *
• Exploitation of Opportunity
18. 2015 CrowdStrike, Inc. All rights reserved.
Targeted Breaches
The Shifting Landscape of PoS Malware
19. What makes it targeted
2015 CrowdStrike, Inc. All rights reserved.
• [ Quality of Malware ] != Targeted
• Tailored options
( Implants designed to work in one infrastructure)
• Only targets specific PoS terminal types
• Logs to Internal IP addresses
• Forensic countermeasures
• Limited client-side controls*
20. 2014 Players
2015 CrowdStrike, Inc. All rights reserved.
• FrameWork PoS
• Called BlackPoS 2.0 by Trend Micro
• Limited Distribution
• Exfiltration done using SMB shared drives
• Hard coded credentials
• Contains links to Anti-US websites
• Mozart PoS
• Limited Distribution
• Specifically designed to work against Java based PoS solutions
• Designed to look like a PoS remote monitor service from NCR
• Contains links to Anti-US websites
21. Case Study: Target
2015 CrowdStrike, Inc. All rights reserved.
• Initial statement released 19
December 2013
• 40 Million Credit Cards stolen
• PII for up to 70 Million individuals
• Statement stated “criminals forced
their way into our system, gaining
access to guest credit and debit card
information”
• Largest hack of a US retailer’s PoS
infrastructure
22. Case Study: Target
2015 CrowdStrike, Inc. All rights reserved.
• PoS infrastructure was directly targeted
• Malware used was Kaptoxa (mmon)
• Part of BlackPoS malware
• Traces back to 2010
• Data pushed stolen data to an internal drop-site
• Used credentials to authenticate to internal SMB file store
• leveraged stolen HVAC credentials
• Internal Drop-sites exfiltrated data to external FTP server
• Adversary may have known sensitive details about Target’s infrastructure
23.
24. 2015 CrowdStrike, Inc. All rights reserved.
Looking Forward
The Shifting Landscape of PoS Malware
25. Looking Forward
2015 CrowdStrike, Inc. All rights reserved.
• October 2015 Liability Shift
• “ The party that has made investment in EMV deployment is protected from
financial liability for card-present counterfeit fraud losses on this date. If neither
or both parties are EMV compliant, the fraud liability remains the same as it is
today.” [1]
• Tokenization of Payment Methods
• iPay
• Google Wallet
[1]http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/
26. 2015 CrowdStrike, Inc. All rights reserved.
QUESTIONS
The Shifting Landscape of PoS Malware
27. YOU DON’T HAVE A MALWARE PROBLEM,
YOU HAVE AN ADVERSARY PROBLEM
2015 CrowdStrike, Inc. All rights reserved.