Monday, February 8, 2016
The malicious code, engineered to steal track data from mag stripe payment cards, had been active between May 2014 and March 2015 and between May and December 2015, the company stated.
Payment and security analysts noted that cybercriminals have been stepping up attacks on the hospitality industry; many are urging merchants and acquirers to improve network monitoring and address potential vulnerabilities in the hotel and restaurant sector. Cory Miller, Director of Security Operations for Atlanta-based ControlScan Inc., noted that many hospitality merchants use multiple POS vendors, making it challenging to achieve network standardization.
The practice of using multiple vendors is "frequently coupled with ineffective system hardening standards and permissive firewall rules at the perimeter," Miller stated. "It was not until recently that POS environments were beginning to be designed with security in mind." He further noted that it is not uncommon to see legacy POS deployment guides that instruct the installer to open ports through a firewall, with no specified destination.
In addition to cooperating with law enforcement and payment card networks throughout the ongoing investigation, Landry's has taken steps to implement enhanced security measures, including end-to-end encryption, the company stated. Additionally, company representatives will notify customers whose cards were used at affected locations during known "at-risk windows."
The company further advised potentially affected customers to "remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity" and report unauthorized charges to card issuers in a timely manner.
While the exact source of the malware has not yet been identified, some analysts speculate that it may be a form of Black POS or BackOff, which involves strains of malicious code that attack Windows operating systems and are associated with as many as 600 POS data security breaches dating back to 2014.
Karl Sigler, Threat Intelligence Manager at Trustwave, said that BackOff malware places a Java file on POS systems that is designed to steal credit card information and routinely send out batches of stolen data to a remote command and control server. Trustwave initially reported BackOff to the U.S. Government's Secret Service Agency when it was first detected in 2013; the company has identified three prevalent strains of the virus, described as versions 1.4, 1.55 and 1.56, that remain active in retail and hospitality sectors. A good firewall is the most effective deterrent to BackOff and Black POS malwares, Sigler said.
BackOff has been further analyzed by the U.S. Computer Emergency Readiness Team (US-CERT), the National Cybersecurity and Communications Integration Center (NCCIS) and the Financial Sector Information Sharing and Analysis Center. The agencies found that BackOff uses a robust central management system that can automatically update all infected POS systems as soon as new versions of malware are released.
US-CERT issued an advisory July 21, 2014, for businesses that use remote desktop applications, warning of known vulnerabilities in Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn. Suspects have attempted to use brute force to enter these applications and deploy POS malware, the agency stated. Once in, the malware family can make itself at home within a POS system, scraping memory for track data, logging user keystrokes, using command and control communications and routinely updating malicious executable files.
US-CERT recommends increased vigilance in monitoring remote desktop environments, network security infrastructure, and cash register and POS devices to ensure that only allowed ports, services and Internet protocol addresses are communicating with a merchant's network. The agency further recommends using Europay, MasterCard and Visa PIN entry devices or other credit-only accepting devices that have Secure Reading and Exchange of Data (SRED) capabilities. A full list of SRED-approved devices can be found at the PCI Security Standards Council's website, www.pcisecuritystandards.org.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
