POS Terminals Rich Vein for Gold-Digging Hackers

Hackers are like gold miners. Once they find a rich vein for their malware, they mine it until it’s dry.Point-of-sale terminals are such a vein, and it doesn’t appear that it’s one that’s about to run dry any time soon.

Following the success of the Target breach in 2013, the hacker underground was quick to rush more POS malware to market.

“Attackers have recognized that the physical point-of-sale terminal is a new viable soft target,” said Christopher Budd, threat communications manager at Trend Micro.

“So we saw an increase in interest in malware that targets that — an increase in attacks and a boost in variants of POS malware, as well as kits that enable people to build their own POS malware,” he told TechNewsWorld.

While the variants of the malware may be modified based on its target environment, all of it has the same mission.

“Ultimately, they’re all about the same goal, which is obtaining credit and debit card information and shipping it where it can sold or abused,” Budd said.

Banks Buy Stolen Numbers

Ironically, the sale of that information often shuts down mining operations at a target.

“In a lot of these cases in the retail industry,” Budd said, “some of the first indications of a breach come from a financial institution monitoring the underground.”

Financial institutions will buy purloined blocks of payment card numbers for cards they’ve issued. Then they’ll trace the payment history for the cards — much as the CDC tries to identify “patient zero” when comatting a disease epidemic — to identify where it may have been compromised, he explained.

In addition to plugging retail leaks, the purchase of stolen payment card numbers has another benefit for a financial institution.

“You take your card numbers out of circulation for fraudulent use,” Budd said.

Since the Target breach, hackers have been busy not only developing POS malware, but also expanding its target environment.

“We’re seeing targeting of parking and airport kiosks,” Budd noted. “The bad guys have figured out that within the U.S., the swipe-and-sign credit card technology is incredibly weak from a security point of view, and now that it has been demonstrated to be an effective target, they’re swarming everywhere they can to get access to it.”

The FraudFox Browser

Between 12 percent and 22 percent of Web surfers in the world use the Firefox browser, so there was some concern last week when it was discovered that a dark developer had created a version that hackers could use for criminal purposes.

Called “FraudFox,” the outlaw browser enables a cyberthief to use stolen settings from a target’s version of Firefox to engage in nefarious activities, such as draining bank accounts.

FraudFox comes with an interesting twist. It’s packaged with a virtual machine for Windows or OS X. Using the VM, hackers can distance themselves from an attack by launching it from a cloud service such as Amazon Web Services.

“Running from a cloud virtual machine ups the bar a little more by allowing them to run it somewhere that’s not in their physical location,” Iovation Chief Technology Officer Scott Waddell told TechNewsWorld. “It gives them another layer in which to hide.”

Although FraudFox has some allure, it’s not likely to gain much traction with denizens of the Dark Web.

“It’s got some interesting packaging, but it’s not free,” Waddell pointed out. “Most of the tools for doing what FraudFox does are already free.”

FraudFox sells for around US$390.

Patent King

For the past 21 years, IBM has been the king of patents, and this year was no different. It filed 7,534 patents, making it the top filer once again in the United States.

Among those patents were more than a few for cybersecurity inventions. For instance, one patent is for software that analyzes code to make sure it’s secure.

“A lot of the analysis tools, when analyzing a software system for problems, take for granted what developers tell them they did to address certain security problems,” said IBM Master Inventor Omer Tripp.

“A lot of times, when developers say something is safe, it’s not entirely true,” he told TechNewsWorld.

That’s especially the case with respect to how software handles user input. Mishandling of user input opens up software to a number of attacks, such as cross-site scripting and SQL injection.

IBM’s invention simulates all possible inputs to test the defense layer of the system.

“In a lot of the cases, we found the defense systems to be broken,” Tripp said.

Protecting Mobile Privacy

Another invention is aimed at privacy in smartphones. It captures how an application accesses and utilizes private information on a smartphone and presents it in way that’s easy to understand. That can be very useful in an enterprise environment.

“It enables a chief information officer or chief security officer to take a look at an application and say, ‘If this is the way this application behaves, then I want to constrain this behavior so certain information doesn’t flow from the application,'” Tripp explained.

“It lets an organization make sure an application is well behaved — that, for example, it’s not accessing your business calendar and transmitting your meeting information to an advertising server,” he added.

Other security patents awarded IBM in 2014 identify when a malicious app is trying to install itself on a smartphone, use voice to verify mobile devices accessing a network, and require a passcode before a cloud provider can access a user’s data in the cloud.

Breach Diary

  • Jan. 20. SplashData releases annual list of 25 most commonly used passwords. Topping the list was “123456” folowed by “password.”
  • Jan. 20. Cisco releases 2015 Annual Security Report, which notes Java exploits decreased 34 percent during reporting period and spam volumes increased 250 percent during the first 11 months of 2014.
  • Jan. 20. ISACA, a cybersecurity training and benchmarking organization, releases survey of 3,400 of its members finding only 8 percent disagreed or strongly disagreed with proposed federal law requiring organizations to notify affected customers within 30 days of a data breach.
  • Jan. 20. NSS Labs releases report forecasting Next Generation Firewall market will grow to $5.8 billion by 2018 from $2.9 billion in 2013.
  • Jan. 21. Ponemon Institute and Identity Finder release survey of 735 IT and IT security practitioners that finds while only 13 percent of the respondents felt their organization’s senior management was extremely concerned about the threat of a data breach before the Target breach, that number jumped to 55 percent after the breach was reported.
  • Jan. 21. Adobe confirms it is investigating a Zero Day vulnerability in its Flash software that reportedly is being exploited by the Angler malware kit. It also confirms a second Zero Day flaw affecting Internet Explorer and Firefox on all versions of Windows.
  • Jan. 22. Ars Technica reports Google Zero has released three OS X vulnerabilities during the week that have not been patched by Apple.
  • Jan. 23. Sony Corporation announces it will not be able to meet Feb. 4 deadline for release of its third quarter results due to hacking attacks on its motion picture unit last year.
  • Jan. 23. St. Peter’s Health Partners in Albany, N.Y., discloses that appointment information for an undisclosed number of patients is at risk after the theft of a manager’s cellphone. Phone was password protected, but the data on it was not encrypted in accordance with organization policy.

Upcoming Security Events

  • Jan. 29. From The Front Lines: Insights From Network Ops On The Global Threat Landscape. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 3. Data Privacy & Protection Day Town Hall. Bryan Cave LLP, 1290 Avenue of the Americas, 35th Floor, New York City. Registration: morning town hall and breakfast, $20; afternoon workshop, $275.
  • Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
  • Feb. 5. Data Privacy & Protection Day Town Hall. Holland & Knight LLP Conference Center, 800 17th Street N.W., Washington, D.C. Registration: morning town hall and breakfast, $20; afternoon workshop, $200.
  • Feb. 6-7. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 7-8. #Disastertech Hackathon. Ernest N. Morial Convention Center, New Orleans. Registration: free, but limited to 50.
  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Open sessions pass: $25; conference pass: $165; SecureWorld plus training: $545.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown 5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels