Beware of 'BlackPOS' malware in data breaches

On Sept. 15, a U.S. judge certified a class action suit against Target, which several banks brought against the corporation in the wake of its massive 2013 data breach. (See the Sept. 15 Reuters article by Joseph Ax.) Retailers like Target, Home Depot and Albertsons, among many others, are still paying for deficient security systems that allowed the "BlackPOS" malware (also known as "RAM Scraper" or "Kaptoxa") to infiltrate "point of sale" (POS) card swipe machines at cash registers and steal personally identifiable information (PII).

Hackers and cybercriminals are still developing variants of this devious malware, partly to circumvent EMV or chip cards. (Fraud Magazine will cover EMV technology in a future issue. Also see What CFEs should know about the U.S.'s approaching smart card transition, by Zach Capers, CFE, The Fraud Examiner. – ed.)

BlackPOS disguises itself as an installed service of a known anti-virus vendor software to avoid being detected and, consequently, deleted in the infected POS system.

Cybercriminals have various options. They can run this malware with the name of the infected anti-virus company with the company's "Framework Management Instrumentation," or they can use the uninstall option to delete the anti-virus software. (Framework Management Instrumentation is infrastructure for management data and operations on Windows-based operating systems.)

The RAM scraping routine begins as a thread (the process of communicating with the "3C server" and the infected system terminal) when the installed service begins. (The 3C server — "Command and Control Center" — is the centralized computer that issues commands to a botnet and receives reports back from the affected terminal.)

It can only start its main routine after breaking the firewall and registering the malware. Like all POS malware, BlackPOS checks the terminal's memory for sensitive information to steal. However, even here, BlackPOS shows some sophistication; for example, some variants are only set to carry out information theft between 10 a.m. and 5 p.m. Any stolen information is stored in a .TXT or .DLL file depending on the variant.

POS connection architecture

Let's see how the POS machine is connected in a retail store. (See figure below.) Let's invent a retail group that has two branches: Retail 1 and Retail 2. Every retail store, including these two, has POS, which is connected to a switch, router and database server. And all of these are connected to a main HQ database server. Small businesses might provide POS via cellular connections. However, larger businesses that wish to tie their POS with other back-end systems might connect them to their own internal networks. These larger businesses might remotely manage their POS systems over these internal networks to reduce cost and maintenance.

Hacking POS systems

Employees normally guard POS systems during operating hours, so getting to a POS device and infecting it with malware can be difficult (though still very doable). All it takes is one disgruntled employee or a well-disguised attacker to gain access to a system and manually install information-stealing malware into it. Attackers might also take advantage of self-service terminals and POS locations that aren't closely monitored.

Often, an attacker sends a target a socially engineered message in an email or an instant message that encourages him or her to click a link or open a file. The sent link and files contain BlackPOS malware that exploits vulnerabilities in popular software such as PDF files and .doc files. The malware then is silently executed on the target's computer, which allows the attacker to take control of and obtain specific data and ultimately establish a beachhead.

Attackers can also hack POS systems via Wi-Fi hotspots that retailers provide to their customers in their stores but are also used to transfer card information to their servers. If the retailers are using closed Wi-Fi networks, attackers can still crack their passwords. Attackers can also find an open port on a switch and add their own Wi-Fi access points.

Unlike other malware families that directly upload stolen information to a 3C server, BlackPOS uses File Transfer Protocol (FTP: a standard network protocol used to transfer computer files from one host to another over a network, such as the Internet) to upload information to a server of the attacker's choosing. This allows the attackers to consolidate stolen data from multiple POS terminals on a single server, so they have more control over "data exfiltration" (unauthorized transfer of sensitive information). BlackPOS is designed to attack Microsoft Windows because many POS terminals contain embedded versions of the operating system.

The payment card industry uses a set of security standards (Payment Card Industry Data Security Standards or PCI DSS) that enforces end-to-end encryption of sensitive payment data captured from payment cards when this data is transmitted, received or stored. However, when a POS machine first reads information from a card, it finds it inside the POS memory in unencrypted form. BlackPOS (and other malware) exploits this with RAM Scraping: capturing payment card information during the milliseconds when it's stored in the system memory.

After the attackers have stolen information, the next critical step for them is to obtain the data from the target's infrastructure and place it under their control. They electronically collect and compress the data, split the files into chunks and transmit it to their servers using a variety of transmission methods such as FTP and Hypertext Transfer Protocol (HTTP), the foundation of data communication for the World Wide Web.

Security and awareness

Retailers can detect exfiltrating batches of data with the right tools in place. Six months before the Target breach, the company had installed a $1.6 million malware detection system that worked exactly as planned when the intruders began stealing the PII. It even issued multiple alerts for Target's security staff, but the security staff simply ignored them. This, obviously, shows the lack of awareness over security control. (See Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, by Michael Riley, Ben Elgin, Dune Lawrence and Carol Matlack, Bloomberg Business, March 13, 2014.)

When it comes to social engineering gaffes, Pogo, the central character of a long-running American comic strip, said it best: "We have met the enemy and he is us." We can apply the same sentiment to employees who are blissfully ignorant of the lengths that criminals will take to gain their confidence to breach organizations' security and steal proprietary data.

All businesses — especially retailers — should conduct awareness programs to educate employees about social engineering, spear-phishing attacks and precautionary steps. Employees should know whom to contact during such scenarios and learn company whistleblower policies. Penetration testing and intrusion detection exercises must be part of good fraud prevention programs.

Of course, all organizations should protect themselves from possible threats by monitoring their internal control systems and fortifying them. And they should be especially vigilant when screening external recruits.

Always conduct background checks for all prospective employees, even the janitorial staff, especially if you use an outsourced external firm. Janitors or office cleaners, who have access to all parts of a building, can easily install hardware keyloggers in company computers and gather usernames and passwords. They can also insert memory sticks into computers to install malware, including BlackPOS.

As CFEs, we know our duty is to detect, deter and prevent fraud. In all cases, we need to think like fraudsters to thwart them before they attack. And we need to be aware of all new and mutant malware, including variations of BlackPOS. Even if you don't work for a retailer, the enemy is still on your doorstep ready to reap your customers' PII.

Krishna Prasad Prabhakaran, CFE, is a fraud analyst at Dunia Finance L.L.C, in Dubai, U.A.E. His email address is: krishnapras97@gmail.com.