Over the past months we’ve reported about the constant rise is the use of POS malware, especially in the US, and especially against large retailers. According to Kaspersky, the number of companies affected by the Backoff malware may be up to 1000 and that number is constantly rising. As we enter deeper into the holiday season, our assessment is that the activity-level of financial-hackers against retailers and other companies which process many credit-card transactions will rise significantly. The last part is important – POS malware is relevant not only to Target, Home Depot, Kmart, Staples and the rest of the gang, but rather to every company and organization that handles payments. This would explain financial-hackers targeting Dairy Cream, Jimmy John’s and other “non-trivial” targets.
The most prevalent POS malware types include the Soraya malware family, which is based on Zeus and Dexter, and Backoff. What differs the recent incidents is the injection method and the attack vector through which the attackers were able to insert the malware into the targeted systems. For instance, in Jimmy John’s case, attackers leveraged a POS vendor in order to install the malware into hundreds of end-points.
The use of POS malware and the targeting of payment details have become so widespread that due to the large flood of credit and debit-card information in underground markets, a need for dedicated software to ease the monetization of these cards came up. Researchers at Intercrawler recently revealed a payment gateway cyber-crime software, which, according to them, can send batches of stolen card charges to multiple gateway processors, automating their returns before banks can catch the fraud. The platform, called “Voxis”, can be purchased in underground markets, and basically automates the purchasing process, mimicking human behavior to avoid detection. It allows criminals (not just cyber-criminals) to process several cards at any given time, through 32 different payment gateways (including PayPal) and even autofill missing CVV info. This development comes to show the way the underground market answers a rise in demand, and emphasizes that targeting credit-card information will continue to be a rising trend in the near future.
The POS malware trend emphasizes the bottom-line, that financial hackers have shifted focus to be much more asset-oriented, and are agnostic to GeoPolitical regions or business sectors. POS malware has become an efficient tool and a preferred M.O. for many financial hackers. The days of “simple” bank heists are over, it’s not just cash they’re after. So why not change your focus as well? Businesses, both enterprises and SMBs, need to think asset-oriented – an inside-outwards approach. Once you realize you hold lucrative assets, even ones that weren’t that lucrative in the past, and understand you are a valid target, you can start arranging defenses around what matters. If you know which attackers are after you and what methods they use you can even arrange your defenses in a smart way, minimizing the “over-shoot”.