How POS Threat Has Evolved Over Years?
Although stealing money and details from credit/debit cards is one of the oldest tricks in the book of hackers, yet they use it and are successful in their spree. POS or Point-of Sale attacks are the easiest to perform and can easily cause a large scale damage. People think that all that is possible with POS attack is stealing their money, but the attackers can extract your data and sell it on dark web that will lead to a large-scale exploitation. Just imagine, what if somebody steals your credit card details and goes on a shopping spree. While he may enjoy the things that he bought you may get trapped in huge debt.
This hack is said to be easiest because all they are required to do is clone the card and steal its data which is possible via skimming. The hardware known as skimmer is used for the same. When installed to a POS, it steals the card data and stores it, which can later be uninstalled to extract all the data that has been stolen.
It was thought that replacing the traditional cards by EMV-based cards will render all the skimmers useless and we’ll become safe from the attacks. But in an amazing turn of events, and after plenty of research it was found out that much-touted EMV cards can be cloned. A slight modification was to be made and that was placing a shimmer and using a network-connected smartphone together to serve their purpose.
Rise Of Attacks That Were Network-based
There’s no denying the fact that skimmers eased the process of stealing information, but no mass break was possible using this. As soon as the word spread to cyber criminals, they quickly turned towards network-sniffing malware in order to steal data using the same. As these malware were competent enough of intercepting card details during the transit and further redirected them to the hackers, they stole data from 90 million card holders in 2014. This malware could easily sneak into the POS system through phishing.
Are you wondering how it was done? Well, it was much easier, you just had to send a phishing email that would spread through the network and infect every machine in it. This establishes a backdoor connection with C2 server. With this, it records card transactions, and saves the information gathered in the C2 server which can be accessed and used without much hassles.
Evolution Of The Malware Developed
The malware for stealing data that was not designed overnight. It came in many version about which, it’s given below:
Found in 2011, it was used to harvest card data from the memory. It didn’t scan every process, but used RegEX to gather the card data. The data of track 1 and track 2 were recorded and stored in a file named “data.txt” or “current.txt.” Although it didn’t have data-exfiltration functionality it was accessed via remote access later.
Also known by the name ‘Trackr’ this malware was updated frequently and scanned the system’s memory for contents match and this indicates that if it finds the presence of card information it would be stolen. These were then sent to the command-and-control server via HTTP POST command.
It’s one of the most potent POS malware because it not just steals the card information, but also installs a keylogger in the infected system. This way none of your data remains secure.
Known by the alias ChewBacca, its gives an add-on to POS malware by usage of Tor network to contact the C and C server. And by this, the detection and investigation of attack gets tougher.
This checked for sandboxing tools on a machine before getting executed and it aimed to make the detection even more tougher which buyed it enough time for exploitation.
This holds record for causing the third highest data breach which affected 70 million cards. It enumerates all processes running on the infected system using the EnumProcesses method and then scans for the card details.
The others included JackPOS, Soraya, ChewBacca, BrutPOS, Backoff, and GratefulPO, and worked more or less similarly and made the mass breach possible. Although we’ve yet not found any feasible solution for this, we believe that soon these attacks will be curbed. Have we left anything? If yes, then don’t forget to mention the same in the comments section given below.