Two new families of point-of-sale exploits have been discovered, adding to the heartache of security pros who work at organizations that collect a lot of credit card information.
One has been dubbed LogPOS by Morphick Inc., an Ohio maker of emial, network and incidence response solutions. The other, a RAM scraper found by Trend Micro, has been called PwnPOS.
“PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years due to its simple but thoughtful construction; albeit not being future proof,” writes Trend Micro threat analyst Jay Yaneza. “Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration. While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.”
Trend Micro has seen PwnPOS operating with other PoS malware like BlackPOS and Alina, among small-to-medium businesses in North America, Japan, Australia, Germany and Romania running 32-bit versions of either Windows XP or Windows 7.
The vendor says application whitelisting is actually one of the key defence against PoS malware.
LogPOS uses mailslots, an IPC mechanism allowing multiple clients to send messages to a server. According to Morphick in most POS variants one process scrapes memory from other processes and writes discovered track data to a log. Because LogPOS injects code into various processes and has each of them search their own memory, it can’t use a log, since they can’t all open the same file with write access at once. Instead, it uses mailslots.
The main executable creates the mailslot and acts as the mailslot server, while the code injected into the various processes acts as a client, writing carved credit card numbers to the mailslot for direct transmission to the attacker.
Malware using POS exploits are increasing, and for obvious reasons — hit the right retailer and an attacker can get millions of credit card numbers. So no wonder that Morphick notes that one security vendor recently reported that there have been more new POS variants discovered in the last six months than the last several years.
“Despite the ongoing efforts to curb POS malware from being successful,” says Morphick, this seems to be an area where there is no slowing down.”