Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Numaan Huq Trend Micro
The Latest Research on PoS Malware
#RSAC @RSAConference #RSAC @RSAConference
#RSAC @RSAConference #RSAC @RSAConference
#RSAC @RSAConference #RSAC @RSAConference
© 2014 EMC Corporation. All rights reserved. 2
Who am I?
• Senior Threat Researcher • Trend Micro’s Forward-Looking
Threat Research Team
• I have been passionately researching PoS RAM Scrapers since early 2011
© 2014 EMC Corporation. All rights reserved. 3
Agenda
• Introduction • PoS RAM Scrapers • Infect, Scrape, & Exfiltrate • The Carding Underground • Defending against PoS RAM Scrapers • New Credit Card Technologies
© 2014 EMC Corporation. All rights reserved. 4
Introduction
© 2014 EMC Corporation. All rights reserved. 5
What is Credit Card crime?
• The goal is to steal the data stored in the magnetic stripe of the credit card – Tracks 1 & 2 data
• Clone the card and run charges
• Criminals typically stole/steal the card data by physically skimming the cards: rubs, rig ATMs & Gas Pumps, modify PoS terminals, etc.
© 2014 EMC Corporation. All rights reserved. 6
What is PoS RAM Scraping?
• Software solution for stealing credit card data • After the merchant swipes the card, the data on the card temporarily
resides in plain text in the PoS software’s process memory – not a vulnerability, but by design
• PoS RAM scrapers retrieves a list of running processes, load-inspects each process’s memory and searches for card data
© 2014 EMC Corporation. All rights reserved. 7
A Brief History
• Earliest evidence – Visa Data Security Alert issued on Oct 2nd, 2008
• Attempting to install debugging tools on PoS systems
• Verizon – 2009 Data Breach Investigations Report also introduced this “new” malware in early 2009 together with victim profiles
• 2009, weaponized and targeting the Retail & Hospitality industries
© 2014 EMC Corporation. All rights reserved. 8
Why do we care?
• Everyday retailers we all visit are getting targeted
• Cybercriminals are stealing our credit card data and committing fraud
• Recently in the news:
© 2014 EMC Corporation. All rights reserved. 9
Infection Statistics
Collected using Trend Micro’s Smart Protection Network, April-June 2014
© 2014 EMC Corporation. All rights reserved. 10
PoS RAM Scrapers
© 2014 EMC Corporation. All rights reserved. 11
Family Tree
© 2014 EMC Corporation. All rights reserved. 12
Family Tree
© 2014 EMC Corporation. All rights reserved. 13
Evolution
• Multi-component • Single binary • Networking functionality • Bot functionality • Kill switch • Encryption • Development Kits • Multi-exfiltration techniques
© 2014 EMC Corporation. All rights reserved. 14
Major Families
• Rdasrv – one of the earliest PoS RAM Scrapers – late 2011
• Targets food services & hospitality industries – scans for process names of PoS software
• BlackPOS – one of the most infamous PoS RAM Scrapers
• Developed by a Russian teenager. Source leaked late-2012 or early-2013 – many variants exist which uses the same codebase
© 2014 EMC Corporation. All rights reserved. 15
Major Families
• Alina – introduced many of the functionalities widely copied/replicated by later PoS RAM Scraper families
• Source code regularly updated – latest known version 6.x
• Dexter – first PoS RAM Scraper to also install a keylogger
• Supports a full suite of Bot commands
© 2014 EMC Corporation. All rights reserved. 16
Major Families
VSkimmer
© 2014 EMC Corporation. All rights reserved. 17
Major Families
• Chewbacca – uses the TOR network to exfiltrate data – installs TOR proxy application
• In addition to scraping RAM, is also a keylogger
• JackPOS – Alina inspired PoS RAM Scraper – Java themed social engineering
• Drops a watchdog process which ensures JackPOS is always running
© 2014 EMC Corporation. All rights reserved. 18
Major Families
• Decebal – coded in VBScript and then compiled into an executable
• Audits the victim system for debugging tools and AV
• Soraya – borrows tricks from ZeuS
• Similar to ZeuS hooks the NtResumeThread API for process injection – hooks browser function for sending HTTP POST requests
© 2014 EMC Corporation. All rights reserved. 19
Major Families
• BrutPOS – attacks systems with open RDP ports and attempts to brute force weak user:password combinations
• Targets known list of POS software
• Backoff – Alina inspired PoS RAM Scraper – has infected over a 1000 retailers in recent months
• Keylogs on the victim and installs a watchdog process
© 2014 EMC Corporation. All rights reserved. 20
Major Families
• BlackPOS ver2 – aka FrameworkPOS – compromised Home Depot according to “Krebs on Security”
• Is a clone of the BlackPOS variant that compromised Target – uses the same multi-stage exfiltration process
• Pretends to be a component of AV to avoid drawing attention
© 2014 EMC Corporation. All rights reserved. 21
Infect, Scrape, & Exfiltrate
© 2014 EMC Corporation. All rights reserved. 22
Infection Methods
• Inside Job
• Phishing & Social Engineering
• Vulnerability Exploitation
• PCI-DSS Non-Compliance
• Cyber Attacks
© 2014 EMC Corporation. All rights reserved. 23
Memory Scraping Techniques
• Two major methods for iterating processes
– Use the CreateToolhelp32Snapshot API to list and iterate processes
– Use the EnumProcesses API to list and iterate processes
• Use either regular-expression match or custom search routine
• Blacklists
© 2014 EMC Corporation. All rights reserved. 24
Data Exfiltration Techniques
© 2014 EMC Corporation. All rights reserved. 25
Data Exfiltration Techniques
© 2014 EMC Corporation. All rights reserved. 26
Common Characteristics
• Collects and exfiltrates system information
• Uses social engineering to avoid drawing attention
• Bot functionality – talks to a C&C server
• Single binary as opposed to multiple components
© 2014 EMC Corporation. All rights reserved. 27
Common Characteristics
• Uses the CreateToolhelp32Snapshot API to iterate over processes
• Uses a blacklist to avoid scanning certain processes
• Uses either a custom search function or regular-expression match to find the card data in RAM
• Encrypts/encodes the exfiltrated data
• Uses HTTP POST requests to exfiltrate data
© 2014 EMC Corporation. All rights reserved. 28
The Carding Underground
© 2014 EMC Corporation. All rights reserved. 29
Underground Lingo
• Hackers infiltrate businesses and steal card data
• They sell the stolen card data in batches called dumps to carders in carding forums
• Carders are the consumers of stolen card data which they then monetize
• Carding forums sell both skimmed and scraped card data
© 2014 EMC Corporation. All rights reserved. 30
Carding Forums
© 2014 EMC Corporation. All rights reserved. 31
Cards for sale
© 2014 EMC Corporation. All rights reserved. 32
Monetizing stolen cards
• First validate the purchased stolen credit card data before attempting to monetize
• Use in ATMs, vending machines, and gas pumps
• Use for “card-not-present” transactions e.g. online purchases
• Use for in-store/in-person purchases
© 2014 EMC Corporation. All rights reserved. 33
Defending against PoS RAM Scrapers
© 2014 EMC Corporation. All rights reserved. 34
Discovery Statistics
• According to Verizon’s Data Breach Investigation Report 2014 in 99% cases involving PoS intrusions an External agency detected the signs of a breach and informed the victim
• In 98% cases the PoS breach was detected within weeks or months
• In 87% cases the cybercriminals took seconds or minutes to successfully breach the victim’s PoS network
© 2014 EMC Corporation. All rights reserved. 35
Discovery
• This is the most difficult and crucial task – especially in a large organization
• Monitor for system component changes • Monitor for unusual traffic activity on named and non-standard ports • Monitor for new or misconfigured network shares • Monitor AV, DLP, BDS logs for unusual activities
© 2014 EMC Corporation. All rights reserved. 36
Prevention Strategies - Hardware
• Multi-tier hardware Firewalls • Breach Detection Systems • IPS/IDS • Two factor authentication for remote access • Point-to-point encryption
© 2014 EMC Corporation. All rights reserved. 37
Prevention Strategies - Software
• Multi-tier software Firewalls • Change default settings e.g. passwords, keys, configurations • Eliminate unnecessary components e.g. accounts, services, protocols • Disable remote access if not required • Point-to-point encryption • Use the latest OS and patch regularly • Regularly patch installed software • Restrict access to the Internet on PoS systems
© 2014 EMC Corporation. All rights reserved. 38
Prevention Strategies - Software
• Use whitelisting to only allow approved applications to run • Implement mechanism to notify when system components change • Automatically reimage every 24 hours • Restrict communications to only what is required • Install AV software and regularly update • Deploy a vulnerability scanner • Deploy DLP software to discover, monitor, protect, and manage
confidential data
© 2014 EMC Corporation. All rights reserved. 39
Prevention Strategies - Policy
• Enforce policy regarding physical access to PoS systems • Enforce strict policy regarding PoS system repairs & upgrades • Routinely delete stored cardholder data • Enforce policy to restrict Internet access on PoS systems • Implement log and audit trails
© 2014 EMC Corporation. All rights reserved. 40
Reality
• Security best practices will make it very difficult for an attacker to breach the network
• Most attackers will give up and look for easier victims
• But a determined attacker will eventually find a path in
• Unfortunately there is no silver bullet
© 2014 EMC Corporation. All rights reserved. 41
New Credit Card Technologies
© 2014 EMC Corporation. All rights reserved. 42
EMV & RFID
© 2014 EMC Corporation. All rights reserved. 43
Realities of EMV
• Makes creating counterfeit cards more difficult because of Chip
• Card data still decrypted in RAM
• Still very much vulnerable to PoS RAM Scraper attacks
• “Card-not-present” crimes increase
Source: “Chip and PIN is Broken”
© 2014 EMC Corporation. All rights reserved. 44
Payments via Mobile
• Payment Tokenization
© 2014 EMC Corporation. All rights reserved. 45
Questions?
PoS RAM Scraper Malware – Past, Present, and Future whitepaper available at URL:
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf