Silas Cutler: Sr. Security Researcher

The Shifting Landscape of PoS Malware

INTRO

2015 CrowdStrike, Inc. All rights reserved.

Current

•CrowdStrike - Sr. Security Researcher•Malshare•Project 25499•RIT Honeynet Project

Contact

•Twitter : @SilasCutler / @CrowdStrike•Email : Silas.Cutler@Gmail.com / Silas.Cutler@CrowdStrike.com

AGENDA

1. Technical Overview

2. Rise of the Commodity Brands

3. Targeted Breaches

4. Looking Forward

5. Questions

2015 CrowdStrike, Inc. All rights reserved.

The Shifting Landscape of PoS Malware

Introduction PoS Malware

2015 CrowdStrike, Inc. All rights reserved.

• Malware designed to steal credit card data from Point-of-Sale (PoS) terminals

• PoS Terminals • Out-of-date software• Limited technical support• Appliance mentality

• Plug it in and replace it when it breaks

2014 Breaches - Short List

2015 CrowdStrike, Inc. All rights reserved.

Sally Beauty MichaelsGoodwillDairy QueenUPSSuperValuHome DepotStaples

Neiman MarcusBebeKmartAlbertsonsJimmy JohnsP.F. ChangesShaw’s and Star Market…

Introduction PoS Malware

2015 CrowdStrike, Inc. All rights reserved.

• Cards sold in online marketplaces. • Often sold in bulk• Payment : Perfect Money / Bitcoin

Webmoney / etc• Cards:

• US Credit/Debit: $20/each• UK Credit/Debit: $35/each

• Bank Logins (BoA): • Balance > $3k = $100• Balance > $11k = $300

• Cash out schemes / Mules / Sellers and buyers

2015 CrowdStrike, Inc. All rights reserved.

Technical OverviewThe Shifting Landscape of PoS Malware

2015 CrowdStrike, Inc. All rights reserved.

MAGNETIC STRIPS

%B6011898748579348^DOE/ JOHN^37829821000123000789?

;6011898748579348=1412101110000000000?*

;011234567890123445=724724100000000000030300XXXX040400099010=******==1=0000000000000000?*

ISO / IEC 4909:2006 • Defines standard format for track

data on Credit Cards

2015 CrowdStrike, Inc. All rights reserved.

TRACK DATA

Track 1: %B6011898748579348^DOE/ JOHN^14121011000000000000001230000?*Track 2: ;6011898748579348=1412101110000000000?*

Index:• % – Start Sentinel• B – Format Code• 6011898748579348 – Card Number• ^ – Field Separator • DOE/ JOHN – Cardholder name• 1412 – Expiration Date (2014 – Dec)• 1100 – Encrypted Pin• 123 – CVV Number• ? – End Sentinel

MEMORY SCRAPING

2015 CrowdStrike, Inc. All rights reserved.

1. Enumerates Processes– CreateToolhelp32Snapshot() /

Process32Next()

2. Open and Read process memory– OpenProcess() / VirtualQueryEx() /

ReadProcessMemory()

3. Search for Track Data4. Validation

– Luhn Algorithm / Mod 10– Expiration Date Check

2015 CrowdStrike, Inc. All rights reserved.

Rise of the CommodityThe Shifting Landscape of PoS Malware

Commodity PoS Malware

2015 CrowdStrike, Inc. All rights reserved.

• Highlights• Off-the-shelf kits• Communicate via HTTP request• Price < $1k

• Source code for several publicly available

• Names:• Alina• Dexter• vSkimmer• Backoff• JackPoS• POSCardStealer

2013 CrowdStrike, Inc. All rights reserved.

ARCHITECTURE

Control Server

Infected hosts

•Traditional Client / Server architecture– Infected hosts beacon and send data

to control server – Replies from server contain status /

command instructions•Communicates over HTTP requests•Operator views bots via web portal

– Can send some basic commands

Spreading

2015 CrowdStrike, Inc. All rights reserved.

• Brute-forcing Remote Management• User/Password Lists tailored for PoS systems

• PcAnyWhere• VNC• Remote Desktop• LogMeIn

• Phishing• Vendor Targeting *• Exploitation of Opportunity

2015 CrowdStrike, Inc. All rights reserved.

Targeted BreachesThe Shifting Landscape of PoS Malware

What makes it targeted

2015 CrowdStrike, Inc. All rights reserved.

• [ Quality of Malware ] != Targeted

• Tailored options( Implants designed to work in one infrastructure)

• Only targets specific PoS terminal types• Logs to Internal IP addresses• Forensic countermeasures

• Limited client-side controls*

2014 Players

2015 CrowdStrike, Inc. All rights reserved.

• FrameWork PoS• Called BlackPoS 2.0 by Trend Micro• Limited Distribution• Exfiltration done using SMB shared drives

• Hard coded credentials • Contains links to Anti-US websites

• Mozart PoS• Limited Distribution• Specifically designed to work against Java based PoS solutions • Designed to look like a PoS remote monitor service from NCR• Contains links to Anti-US websites

Case Study: Target

2015 CrowdStrike, Inc. All rights reserved.

• Initial statement released 19 December 2013

• 40 Million Credit Cards stolen• PII for up to 70 Million individuals• Statement stated “criminals forced

their way into our system, gaining access to guest credit and debit card information”

• Largest hack of a US retailer’s PoS infrastructure

Case Study: Target

2015 CrowdStrike, Inc. All rights reserved.

• PoS infrastructure was directly targeted• Malware used was Kaptoxa (mmon) • Part of BlackPoS malware

• Traces back to 2010

• Data pushed stolen data to an internal drop-site• Used credentials to authenticate to internal SMB file store• leveraged stolen HVAC credentials

• Internal Drop-sites exfiltrated data to external FTP server

• Adversary may have known sensitive details about Target’s infrastructure

2015 CrowdStrike, Inc. All rights reserved.

Looking ForwardThe Shifting Landscape of PoS Malware

Looking Forward

2015 CrowdStrike, Inc. All rights reserved.

• October 2015 Liability Shift• “ The party that has made investment in EMV deployment is protected from

financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.” [1]

• Tokenization of Payment Methods• iPay• Google Wallet

[1]http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/

2015 CrowdStrike, Inc. All rights reserved.

QUESTIONSThe Shifting Landscape of PoS Malware

YOU DON’T HAVE A MALWARE PROBLEM,YOU HAVE AN ADVERSARY PROBLEM

2015 CrowdStrike, Inc. All rights reserved.