New generation of malware hiding deep within the POS

Upscale food emporium Eataly disclosed a security data breach on in May 2015 that involved its retail marketplace POS system in New York City. None of the adjacent seven restaurants that occupy the building were affected, the Italian retailer stated.

Subsequent forensic analysis uncovered a sophisticated form of malware that had been operating undetected from Jan. 16 to April 2. Eataly notified consumers potentially affected and offered complimentary fraud and identity protection services. A notice on the company's website stated, "The malware has been rendered inoperable and additional security measures have been put in place to further secure the impacted point-of-sale and network systems. As of now, the incident has been contained and customers can safely use their payment cards throughout our stores, including at the Eataly NYC Retail Marketplace."

Mark Wayne, Executive Vice President, Business Development at Detroit-based ANXeBusiness, stated that antiquated credit card processing systems are mostly to blame for an increasing number of security data breaches in the retail and hospitality communities.

ANXeBusiness said it detects malware in about 8 percent of new clients' operating systems during initial inspection of their cardholder data environments. These clients are not aware that malicious software had been operating, in some cases, for as long as 269 days, which is the average length of time for malware to survive incognito from its initial installation to its ultimate detection. "A majority of these systems have an encryption gap that enables criminals to get in and collect cardholder data," he said.

Resistant malware strains emerging

Wayne and other security analysts warn that virulent new strains of malware such as Punkey and MalumPOS are difficult to detect due to their ability to seamlessly integrate within their targeted host processing systems. Wayne described the majority of recently detected malware schemes as "fine-tuned and sophisticated."

The FBI recently reported that Punkey malware has been detected in a high-profile restaurant chain but it has not released details on the incident. Punkey, named after Punky Brewster, a 1980s television sitcom, utilizes RAM-scraping and encryption tools that make it difficult to detect. The malware is believed to be a variant of NewPOSthings, malicious code initially discovered in September 2014 by Burlington, Mass.-based Arbor Networks.

An internal FBI bulletin issued June 8, 2015, stated, "Cybercriminals continue to deploy point-of-sale (PoS) malware due to the number of targets connected to the Internet and large potential profits." As an example, it cited was a hospitality chain it did not identify that had been attacked recently by cyber actors. The report also noted a marked increase of cases of malware used to infiltrate restaurants, casinos, hotels and resorts "to extract credit card information and quickly monetize it within cybercriminal forums."

Trend Micro reported on June 5 that it had identified MalumPOS, a "new attack tool that threat actors can reconfigure to breach any POS system they wish to target." The RAM-scraping malware collects data from integrated POS systems such as Radiant and NCR Counterpoint that use Oracle's Micros platform.

Approximately 330,000 restaurants use the Micros operating system worldwide, according to Oracle. A majority of those users are based in the United States. These U.S. merchants are susceptible to a MalumPOS attack, particularly due to the malware's ability to replicate native environments of targeted retail and hospitality host systems.

Updated technologies, strategies needed

Government and security analysts recommend a multilayered, interdisciplinary approach to managing security. "It's important to note that there is no silver bullet for creating a secure environment," Wayne said. "Point-to-point encryption, end-to-end encryption, tokenization and Europay MasterCard Visa (EMV) comprise a layered approach to security in which people, process and technology work in harmony, using best practice and continued vigilance."

The FBI advocates community-level teams that support the broader efforts of the Comprehensive National Cybersecurity Initiative formed in 2008. The bureau has established 56 field offices exclusively focused on cybersecurity to further support local efforts at fighting cyber crime. Cyber Task Forces in these offices provide the following services. They:

• Respond to cyber incidents and conducting victim-based investigations
• Understand and address the threats, vulnerabilities, and collection opportunities that exist
• Maintain relationships and information sharing with key companies and institutions

  Editor's Note:

  The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

  Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.