By now, hopefully, the C-suite here knows enough to stop saying this country is so insignificant businesses won’t be victims of an online attack.
However, it’s infrastructure can still be leveraged in other ways. According to U.S.–based Kroll Cyber Security, an attack group has been infecting point of sale machines around the world and using Canada as one of three stopping-points for temporarily hiding stolen credit/debit card data.
Kroll researchers made the revelation at a presentation at the recent Kaspersky Lab security analyst summit.
Courtney Dayter, Kroll’s senior managing consultant, was one of the presenters. In an interview with ITWorldCanada.com on Thursday, she said the malware, a memory-scraper dubbed PinkKite, was seen on “thousand of endpoints” including across North America, Russia, Europe, Asia-Pacific. But she couldn’t say if it had been seen specifically on POS machines in Canada.
However, even if it was, it would only be effective if a user swiped a credit/debit card in an infected device. It has been known for years that the data on swiped cards goes into memory and is vulnerable to data theft. The overwhelming number of cards in Canada have chip-and pin-security, so card data is encrypted.
“Anything with chip and pin (PinkKite) is not effective with, as long as the point to point encryption is securely in place.”
Where this country was involved, along with the Netherlands and South Korea, was after the data was collected by using servers outside the victim company as temporary relay points – or as Kroll calls them clearing houses — for stolen data from several victims. Usually criminals forward stolen data to a command and control server. But the group behind PinkKite apparently tried to hide their tracks by first relaying data to servers within the retailers’ network or in other countries, then manually emptying them.
If that was the goal it backfired. Dayter said adding the extra steps made the attack “noisy” to investigators.
The initial infection of retailers is done through creating backdoors in their systems, Dayter said. After that the attackers move laterally through the network until POS devices are found.
She wouldn’t say exactly how the system was initially infected, but did say that it could be stopped if administrators use secure passwords. Another way is to watch the network for suspicious activity and unapproved programs. In this particular campaign a telnet-replacement from Microsoft called PSexec was used to remotely execute processes. “To see PSexec service executing on a POS machine should throw up a red flag.”
PinkKite is one of a distinctive family of POS malware which is than 6K in size, like other small POS malware families such as TinyPOS and AbaddonPOS. “6K is around the smallest for POS malware that I’ve seen with such sophisticated capabilities,” Dayter said. PinkKite also uses hard-coded double-XOR encryption (used on credit card numbers) to hide its tracks.
There are also several versions: Some had a blacklist, with processes to exclude, and a whitelist of processes to include.
Even though it has been exposed, Dayter believes PinkKite or variations will keep coming because the small size makes it easy to move across corporate networks and to obfuscate.
