A new report on point-of-sale malware presents the most detailed examination of the malicious code behind high-profile attacks against US retailers to date.
Cyphort Labs’ in-depth look focuses on Target, Home Depot and UPS breaches and involved an analysis of BlackPOS, FrameworkPOS and Backoff malware samples. The researchers concluded that the attackers had acquired a good understanding of their targets, and that defences need fundamental rethink.
Backoff is the most advanced malware strain of the trio, not only because it's designed to attack a broad spectrum of point-of-sale (PoS) systems, but it also has slippery evasion features that make it harder to detect.
FrameworkPOS and BlackPOS, by contrast, resemble off-the-shelf software, tailored specifically for dedicated targets. Backoff, BlackPOS and FrameworkPOS are associated with the security breaches against UPS, Target, and Home Depot, respectively.
Cyphort concludes that the attackers behind the Target and Home Depot moves already had a good idea of the target network they were attacking before bringing PoS into play, a finding supported by conclusions from other researchers that the two retailers were hit through attacks that began against third-party suppliers.
An estimated 56m bank cards were swiped as the result of malware on its tills, Home Depot has admitted. The earlier Target breach resulted in the exposure of 40m credit and debit cards. Both breaches also resulted in the leak of personal information of millions of shoppers.
The POS malware strains analysed by Cyphort have also been used in attacks against other retailers, including Dairy Queen and Neiman Marcus. Cyphort Labs hopes its analysis will put security defenders in a better position to defend against possible follow-up attacks.
"The Target, Home Depot and UPS breaches made headlines because of the size and scope of proprietary information stolen, but also because these companies are household names," said Dr Fengmin Gong, Cyphort’s co-founder and chief architect.
"[We] hope the findings will benefit security professionals and researchers so they can better understand specific patterns of behaviour being carried out in these attacks," he added.
Cybercriminals are targeting retailer because that's "where the money is" Cyphort concludes, referencing and updating a comment by legendary 1930s bank robber Willie Sutton. Security defences need to undergo a fundamental rethink to stay relevant in the wake of not just the mega-breaches against US retailers but other security snafu over the last 18 months, according to Gong.
"The IT community, the security practitioners, and the product vendors as a whole, are going through a significant transition from a 'vulnerability/exploit centric approach' to a 'business impact/consequence centric approach'," Dr. Gong told El Reg. "This transition comes at the sacrifice many breached businesses."
"While the inadequacy of traditional security products is well publicised, the lack of appreciation of this transition from IT perspectives and the lack of practical training on how to implement effective defence against the modern threats are not widely understood. We are at a point where the awareness on cybersecurity is no longer a significant roadblock, but the lack of practical how-to still is," he concluded.
To help retailers and security professionals, Cyphort Labs recommends seven steps to implement an effective cybersecurity defence against modern POS threats that begins with a risk assessment designed to formulate security policies to limit exposure to possible follow-up attacks.
Cyphort's full POS Malware report is available here (32 pages, registration required). ®