As the convention season hits its stride and tens of thousands of technology and business professionals are poised to fly into cities like Las Vegas, Orlando, New York and Toronto, it might be useful to known that a new version of a malware that targets point of sales (POS) systems has likely checked-in at your hotel as well.
The software company Trend Micro is warning that RawPOS, a variant of a memory scraper POS malware that dates back to 2008, has been victimizing guests in casinos, resorts and hotels in the last few weeks in Canada, United States, Europe, the Middle East and Latin America.
An earlier security alert from credit card company Visa, said that the master is “typically clustered in three files” and that there is not standard infection method for the malware.
“Once a vulnerable POS system is identified, various components of the malware are used to discover track data by only targeting the “memdump” portion of a Windows system,” the alert said. “A memory dump can be the contents of memory on a system and where cardholder data temporarily resides during a payment transaction.”
There is also no common method of exfiltration associated with the malware. However, Visa said, “infected merchants observed payment card data sitting on non-POS systems, suggesting attackers stage the stolen data elsewhere on the network prior to exfiltration.”
Trend Micro said RawPOS has a modular design and that it is highly configurable and has always been a multi-stage scraper Here are several key characteristics of its design:
- The multi-stage or multi-component strategy ensures a high success rate for the chosen environment while making prevention and detection harder –no matter what type of solution
- The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed
- It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business
Visa recommends the following steps to mitigate risks:
- Control the Windows Administrator account. Make it more difficult for malware to gain administrative privileges
- Assign a strong password for all accounts on the POS system
- Create a unique local administrator password for each and every POS system
- Do not allow users to be local administrators on a POS system
- Change passwords frequently, across the enterprise (at least every 90 days)
- Ensure the POS system functions as a single purpose machine. To reduce the risk of malicious software infections, disallow all applications and services (i.e. Internet browsers, email clients) that are not directly required as part of the POS’s core functionality in processing payments
- Keep operating system patch levels up to date. For Windows, this means ensuring Windows update is functioning and automatically applying monthly security patches. For non-supported operating systems like Windows XP, there should be a plan to migrate to a current operating system
- Restrict permissions on Windows file sharing or disable file sharing altogether. Unless absolutely necessary, Visa recommends disabling file sharing on POS systems. Microsoft has published instructions on how to disable simple file sharing and set permissions on shared folders
- Restrict remote access services use. Unless necessary, disable remote access services, ports, and accounts. If remote access services are needed, enable only when needed
- Promote security awareness. Design anti-phishing programs, defense in depth strategies, and promote shared responsibility in security awareness
RawPOS is notable for its support for multiple PoS software, according to Trend Micro. Since business establishments would have a different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time.
Below is a table showing the different PoS software that is supported by RawPOS: