The U.S. Department of Homeland Security (DHS) has issued a warning to retailers. DHS reports that cybercriminals are using remote desktop software to open up retailers’ networks to point-of-sale malware attacks. Point of Sale (POS) systems have been at the heart of many of the recent data breaches. Retailers impacted include Target, Jimmy John’s. P.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International the New York Times reported.
Research conducted by the DHS, the Secret Service, the National Cybersecurity and Communications Integration Center, and security firm Trustwave SpiderLab. have following the attacks. During the attacks, Cybercriminals are scanning corporate systems for remote desktop software. The attackers are looking for Microsoft (MSFT) Remote Desktop, Apple (AAPL) Remote Desktop, Google (GOOG) Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn’s join.me.
Install malware
After finding an exposed system, attackers launch brute force attacks on the login feature. FireceIT Security reports that once the attackers gain network access, they deploy Backoff POS malware. steal customer payment data and hide the theft using encryption. An alert was issued by US-CERT on 07-31-2014 that explained how the malware gets installed.
At the time of discovery and analysis, the [Backoff] malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious
US-CERT has informed anti-virus vendors of the threat from Backoff malware and they will be updating their software to detect and block the malware. The malware can scrape memory for track data, log keystrokes, engage in command and control communication, and inject a malicious stub into explorer.exe that ensures “persistence in the event the malicious executable crashes or is forcefully stopped.”
The article concludes, “The impact of a compromised POS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.
rb-
If mega-firms like Target can be breached, what chance do small mom-and-pop POS firms in schools, food trucks, kiosks at the airport stand? I say not much. I have worked with several POS vendors and it seems they barely understand their own product, let alone SSL certs, VPNs.
Here are some tips from Verizon’s 2012 research into security breaches affecting companies that use POS systems to process customer payments. Make sure your POS vendor does the following:
1. Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).
2. Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).
3. Avoid using POS systems to browse the web (or anything else on the Internet).
4. Make sure your POS is a PCI DSS compliant application (ask your vendor)
5. Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.