Here comes a new POS malware, designed to hit Windows Point of Sale terminals.
Point of Sale terminals rank among the all-time favourite targets for hackers and cyber-criminals. Reasons are of course obvious. Financial transactions, mostly through credit cards, take place in large number through POS terminals and there are still organizations that don’t give due importance to POS security. Thus it becomes easy for hackers to get away with sensitive personal information, especially credit card data, which could later be used to rob people of their money.
Cyber-criminals seem to be coming up with innovative ideas to strike at POS terminals; they design all kinds of new POS malware and go on doing their job. So, here comes another new POS malware, a very advanced strain of malware that has the capability of attacking Windows point of sales terminals, stealing cardholder data and upgrading itself while hiding in plain sight.
Researchers from the Chicago-based security company Trustwave have discovered this new strain of POS malware and have given them the name too. Here’s what the Trustwave’s SpiderLabs blog (SpiderLabs is Trustwave’s team of ethical hackers, forensic investigators and researchers) says about the malware- “During a recent United States Secret Service investigation, Trustwave encountered a new family of POS malware, that we named Punkey. It appears to have evolved from the NewPOSthings family of malware first discovered by Dennis Schwarz and Dave Loftus at Arbor Networks.”
How it infects and works
In a Q&A post in the same blog, it’s explained how PunkeyPOS makes it onto POS systems- “Typically Punkey would be installed by exploiting easy-to-crack passwords used for remote access software on the POS systems or through cashiers using the POS system to browse malicious websites or open phishing emails.”
There is also an explanation on how PunkeyPOS works once it has infected a POS system or network- “Once installed, Punkey hides itself as a part of Explorer, one of Windows primary processes. Like a lot of POS malware, Punkey uses memory scraping to grab credit card data and keylogging to capture anything typed into the infected system. The stolen data is then sent back to a command-and-control (C&C) server to be collected by the criminals.”
Yes, PunkeyPOS malware hides inside the Explorer process, which exists on every Windows device. The malware manages the opening of individual program windows, scans other processes on the terminal to find cardholder data, using memory scraping and keylogging. This data is then sent to the control server.
Combatting PunkeyPOS
PunkeyPOS is of course an advanced malware, but it can be combatted using some very basic techniques. These include having a good, effective anti-malware software and intrusion detection system solutions, updating the antivirus software and firewall protections regularly, checking network activity daily, monitoring the remote access software etc. Employees need to be trained to follow best security practices and use POS systems only for work.
