Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them or even burn credit card track information into fake physical cards to siphon victim’s account through ATM systems.
New techniques such as Point of Sales infection with memory scraping malware samples have become common nowadays in order to reduce attackers’ physical exposure and criminals are now directly targeting the businesses that process credit cards. But, how do they manage to get into so many Point of Sales (PoS) machines and infect them?
As some of you may expect, there is no magic behind the infections, and, according to our investigations, there are two major techniques used by the credit card hunters, which are: Default Password Bruteforcing and Remote Vulnerability Exploitation.
1- Default Password Bruteforcing
As stated in a previous blog post where we showed how cybercriminals were trying to infect PoS devices with Dexter malware, they were using default passwords to log in to targeted Point of Sales systems (or its internal networks) in order to compromise and infect them with a malware sample to scrap the memory with card regex. They basically had a large list with the default and weak passwords used by the main vendors of PoS systems and tried to log in to every system reusing those credentials.
Since this is one of the basic protections to take into account in order to prevent attacks into a network, it seems an unbelievable scenario, but it’s actually true.
The modus operandi in this case is so obvious:
- Gather IP address
- Try to login using default credentials
- Once logged, download and install the malicious software
2- Remote Vulnerability Exploitation
On the other hand, we have the Remote Vulnerability approach. We have seen some active gangs using this technique to infect Point of Sales systems, instead of brute forcing default credentials, they use a Remote Code Execution Vulnerability (RCE) in order to download and execute the desired malware. Let’s say that these guys were widely exploiting vulnerability CVE-2007-5243.
Yes, it’s from 2007 and 8 years old, but it still works, the affected software is:
Borland InterBase WI-V184.108.40.2067
Borland InterBase WI-V220.127.116.11
Borland InterBase WI-V18.104.22.168 WI-V22.214.171.124
Borland InterBase WI-V126.96.36.199
Borland InterBase WI-V188.8.131.52
Borland InterBase WI-V184.108.40.206
Borland InterBase WI-V220.127.116.117 WI-V18.104.22.168 WI-O22.214.171.124 WI-O126.96.36.199
Borland InterBase WI-V188.8.131.522
Borland InterBase WI-V184.108.40.2060
This database system is widely used in some Point of Sales software.
In order to exploit and infect the maximum amount of systems, the gang basically gathers a list of IP addresses from Service Providers related to Point of Sales systems and scans them in order to find vulnerable versions of Borland InterBase. Once found, they just execute an exploit for the desired vulnerability, in this case, this exploit is also included in the Metasploit Framework:
The modus operandi is more or less the same as the one described above:
- Gather IP address.
- Scan for vulnerable InterBase version.
- Exploit the vulnerability to upload and execute the malicious PoS binary.
Keep in mind that this approach may be used with other software as well, this is just one of the cases found in the wild.
How to Prevent PoS Attacks and compromise
There are no new revolutionary actions to take in order to prevent this kind of intrusions, basically, only two actions need to be performed:
- Change default password:
In order to prevent being infected by Default Password cracking, a new custom password should be set in the system.
Just be careful and don’t use default passwords from other systems or platforms.
- Maintain all the software up-to-date:
To prevent old vulnerabilities, like the one stated above – it’s from 2007, 8 years old – an upgrade policy should be applied into the company.
In addition, there are more complex security measures to implement in order to help enhance the security of today’s PoS systems:
- Fine-tune your firewall rules:
Control in-bound and out-bound Internet communications within PoS networks in order to allow only the desired traffic. It is important to reduce PoS attack surface in order not to expose weak services reachable through the Internet.
- Monitor your network:
Monitor and deploy early warnings when suspicious activity is performed from these kinds of systems.
We hope that this post and suggestions will help you to understand and prevent PoS malware in your systems.
Cyber Threat Analyst