Risks in Retail: New POS Vulnerabilities and Malware

Thu Pham, Information Security Journalist, Duo Security

In 2014, large retailers, franchises and small businesses alike were affected by new vulnerabilities and malware targeting point-of-sale (POS) devices, systems and vendors. One recent vulnerability affecting POS devices and systems was detailed by the US-CERT in its Vulnerability Notes Database.

The Honeywell OPUS Suite (OLE for Retail POS) provides a standard programming interface that allows POS hardware to be easily integrated into retail POS systems for Microsoft Windows operating systems.
Honeywell OPUS suite versions earlier than make it possible for attackers to execute arbitrary code into a targeted user’s browser process—the user needs to visit a website or open a file sent by the attacker in order for the attack to occur. Fortunately, the vulnerability can be avoided by downloading and installing the most recent version of the software from the Honeywell website.

Whether it’s a single phishing email or an entire campaign, getting users to click a link or open attachments is not particularly difficult, a long history of data breaches testifies to this. Phishing attacks are widespread and affect every industry—150,000 JPMorgan Chase customers were hit with phishing emails in a ‘smash and grab’ campaign that attempted to steal their banking credentials in two ways:

  • Asking users to submit their online bank account usernames and passwords
  • Using a spoofed page that redirected users via a malicious iframe that installed the banking Trojan Dyre on a user’s machine

Third-party POS vendors have also been targeted in phishing campaigns, as stolen credentials are used to get access to a provider’s network and larger retail organisations’ networks.

POS Malware Types

While malware can be used against a variety of industries in a variety of ways, a few vulnerability notifications have designated certain types that target the retail industry and POS systems in particular, including:

Name: Backoff
Type: A family of POS malware
Who it affected: Seven POS system providers have confirmed multiple clients were affected and the Secret Service estimates that over 1,000 U.S. businesses were affected
What it does: Scrapes memory for credit card data, logs keystrokes, and connects with command and control servers to send stolen data.
How it’s used: Attackers scan to find users of popular remote desktop solutions, then attempt to brute force the login to get access to administrator or privileged accounts in order to deploy the Backoff POS malware.

Name: BlackPOS, also known as Kaptoxa
Type: A POS malware strain
Who it affected: BlackPOS is said to have been associated with the Target and Home Depot breaches
What it does: This type of malware parses data stored in the memory of specific POS devices, capturing track data stored on a card’s magnetic stripe immediately after it’s been swiped at a terminal.
How it’s used: Attackers get access to a company’s network or servers, typically via stolen credentials. Then they upload BlackPOS to POS machines and set up a control server to collect and deliver stolen data from infected devices.

POS System Best Practices

The US-CERT recommends some standard security best practices for POS system owners and operators to protect customer card data from attackers. Its recommendations include using strong passwords and always changing the default passwords after installing new POS systems. Default passwords on commercial systems can be easily found online.

Another recommendation includes updating POS software applications, which is one way to ensure you’re running the latest and most secure application to guard against known vulnerabilities (if they’re published online, they can be easily exploited).

Exercise control over your IT environment by restricting internet access to POS system computers or terminals to prevent users from exposing sensitive data online, and restrict remote access to POS systems. Attackers can brute force or phish credentials for remote desktop tools that give them full access to POS systems from anywhere in the world.

While the US-CERT also recommends installing firewalls and antivirus, many variants of malicious software and attacks often bypass antivirus detection.  A more effective security tool strengthens access controls such as authentication—two-factor authentication provides another layer of security in addition to your basic primary authentication process (username + password). Two-factor authentication for remote access is a requirement for PCI DSS and best practice for strengthening access security with applications that process payment card data.

To learn more about how to help navigate through some of the new risks in the retail industry, you can check out this free guide that provides an overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.

About Thu Pham
Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo Security, Pham covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Read more: Record-pace app sales reinforce urgency of authorities' mobile app privacy push

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan ChasedatabaseRisks in RetailPOS VulnerabilitiesKaptoxaPOS vendorsmalwareCSO AustraliaHoneywell OPUS SuiteEnex TestLab

More about CSOEnex TestLabHome DepotHoneywellIT SecurityMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thu Pham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts