What is BlackPOS Malware?
BlackPOS, (also known as the "Memory Form Grabber"), is a type of spyware program that can steal debit and credit card information by infecting Point-of-Sale systems and other specialized business computers used in financial transactions. It is similar in nature to other POS threats and is installed using stealth-based methods. BlackPOS attempts to extract information without getting noticed by employees or managers, and uploads the stolen information to an external server under the control of cyber criminals.
The BlackPOS malware records all data from credit and debit cards that are swiped at infected POS systems. It is also been cleverly programmed to bypass firewall software. BlackPOS malware, is just 207kB in size, and costs only about $2,000 for the basic version (license). It has been available in the cyber criminal underground since February 2013. This price is quite modest compared to the cost of other banking Trojans.
The BlackPOS Trojan’s source code had been leaked in 2012, and utilizing the leak other cybercriminals enhanced the code to more powerful versions that had then been used for other high-profile POS malware attacks.
How Blackpos Malware Infects Point of Sale System?
BlackPOS malware targets and infects POS systems that run on Windows OS and use card readers for accepting payments. Cyber criminals run automated internet scans to identify machines with weak remote administration credentials and also machines with known vulnerabilities that have not yet been patched. Cyber criminals also employ social engineering and spear phishing to infect systems connected to the enterprise network.
BlackPOS scans running processes on the POS systems to search for Track 1 and Track 2 formatted data. This data is stored in a text file, and then sent through FTP to a compromised server chosen by the attacker.
In this case an email with malware was sent to a vendor of Target. This malware stole the credentials to an online vendor portal at Target. Cyber criminals then used these credentials to access Target’s systems and install the BlackPOS malware.
Impacts of BlackPOS Malware
The BlackPOS malware is sold by a criminal developer with the title of Dump Memory Grabber by Ree and is spyware designed mainly to infect banking computers. These types of programs aren’t new by any fashion, but they are more alarming than others because it has already been used to compromise thousands of cards that are used, including:
- Capital One
- Nordstrom Bank
Impact on Enterprises:
Targeted attacks by BlackPOS malware can severely affect enterprises. It can lead to business disruption, loss of intellectual property, loss of reputation, major loss financially and loss of customer information.
Impact on Enterprises’ customers:
Customers too are affected in a different way. They are affected by theft of identity and could be subjected to blackmail. They may also entail loss – financially, and as well as in terms of reputation.
Target BlackPOS Data Breach
In December 2013 at over 2000 Target stores, hackers stole data from over 40 million credit cards. The BlackPOS Malicious software had infected point-of-sale POS systems at the checkout line counters at Target. This was a massive data breach that compromised sensitive information of more than 110 million customers. The BlackPOS memory-scraping malware parsed the data stored – for a very short period - in the memory of infected POS devices. The data stored on the magnetic stripe of the card gets captured by the malware in this brief instant. This information gets stored on a text file and sent by ftp to a server chosen by the attacker. This stolen data was used by the attackers to create cloned copies that were used for high-value shopping.
How to Prevent It
Critical Controls that Could Have Prevented Target Breach
- PCI compliance alone is not sufficient as a risk management strategy. Enterprises can mitigate losses by regularly performing Enterprise-wide risk management activities. Threats and vulnerabilities beyond scope for compliance audits must be identified. Enterprises must employ adequate number of skilled security professionals who must be able to take proactive action against Advanced Persistent Threats (APTs).
- A robust POS security strategy is a must for protecting the enterprise systems even when the data is encrypted.
- Multi-layered security is needed.
- Enterprises must consider implementing the Critical Controls – which are a prioritized list of specific controls that are considered to be effective in preventing malicious attacks.
- A robust endpoint Protection system with updated antivirus protection and patch management would go a great extent to protect POS systems.
Because it is sold to criminals, its exploits aren’t about to go away on their own. It will be up to companies everywhere to ensure they have the right protection. We can help you there because our product is made primarily to beat these advanced threats that affect the security of your POS systems and other computers. Contact us today to learn more.