SoS Musings #75 - A Major Threat to Businesses: Point-of-Sale (PoS) Attacks

SoS Musings #75 -

A Major Threat to Businesses: Point-of-Sale (PoS) Attacks

Despite all of the benefits Point-of-Sale (PoS) systems offer, they are increasingly becoming targets of cyberattacks. PoS systems have replaced traditional cash registers in many businesses because they offer a number of advantages in managing employees, customers, transactions, inventory, pricing, and cash flow, thus helping companies operate more effectively. A PoS device facilitates retail transactions by computing the amount that customers must pay for their purchases and providing options for making payments. PoS systems are an easy target for cybercriminals, who can identify a weak point to inject malware and then steal credit card information without exerting much effort. This information is of great value to criminals. For example, BidenCash, a carding marketplace on the dark web, recently exposed two million valid payment cards, distributing the credit card information as a birthday anniversary promotion. The leaked data contained cardholders' full names, card numbers, bank information, expiration dates, and Card Verification Value (CVV) numbers likely obtained, in part, through attacks on PoS systems. The purpose of PoS security is to create a safe environment for customers to complete their purchases and transactions, and it is an essential measure for fostering consumer trust.

Businesses have fallen prey to attacks on PoS systems, highlighting the vulnerabilities of such systems. A threat actor employed two PoS malware variants, Treasure Hunter and MajikPOS, to steal information related to over 167,000 credit cards from payment terminals. Group-IB estimated that the operators behind the stolen data dumps could have gotten up to $3.34 million by selling them on underground forums. Researchers noted that nearly all PoS malware variants share a similar card dump extraction capability, but employ different techniques for maintaining persistence on infected devices, data exfiltration, and processing. Treasure Hunter and its advanced successor MajikPOS are both designed to brute-force their way into a PoS terminal, or alternatively purchase initial access from third parties known as Initial Access Brokers (IABs), before extracting payment card information from the system's memory and transmitting it to a remote server. Popular New York City eateries Catch NYC, Catch Roof, and Catch Steak discovered and removed malware from their PoS systems that exposed customers' credit card information. Catch Hospitality Group, the owner of the three New York City hotspots, stated that the malware searched for track data read from a payment card as it was being routed through the PoS devices. Track data sometimes includes the cardholder name in addition to the card number, expiration date, and internal verification code. Visa's payment fraud disruption department identified three separate attacks on PoS systems used by gas station merchants and a hospitality chain. According to the credit card company, one of the attacks was executed through the performance of a phishing attack on a gas station employee. The success of the phishing attack led to the download of a Remote Access Trojan (RAT), which then allowed cybercriminals to move laterally through the breached network to the merchant’s PoS environment where they then launched a RAM memory scraper in order to steal payment card data. Findings from the analysis of the malware used in these attacks suggest that FIN8, a financially-motivated hacking group, was likely the perpetrator. The Brazilian threat actors behind Prilex, a sophisticated and modular PoS malware, have emerged with new updates that enable it to prevent contactless payment transactions. Researchers identified three variants of Prilex that can target Near Field Communication (NFC)-enabled credit cards. Since 2014, the threat actor has constantly added new features designed to support credit card theft, such as the GHOST transactions approach. The main purpose of the new functionality is to disable the contactless payment feature so that the user must insert their card into the PIN pad. The version of Prilex discovered in November 2022 was found to use rule-based logic to assess whether or not to collect credit card information, as well as an option to block NFC-based transactions.

Researchers have conducted further research into the vulnerability of PoS systems to attacks. Security vulnerabilities were discovered in widely used PoS terminals that could have allowed cybercriminals to steal credit card details, clone terminals, and conduct a number of other malicious activities. The vulnerabilities, found in Verifone and Ingenico PoS products used in millions of stores globally, were detailed by independent researcher Aleksei Stennikov, and the head of offensive security research at Cyber R&D Lab, Timur Yunusov. According to the researchers, one of the vulnerabilities that affected both brands stemmed from the use of default passwords, which could have allowed attackers to access a service menu, manipulate code on the machines, and run malicious commands. These security issues are said to have existed for at least ten years. Attackers could have gained access to the devices in one of two methods to manipulate them. Either they physically gained access to the PoS terminal, or they remotely gained access via the Internet to execute arbitrary code, buffer overflows, and other common techniques that can provide attackers with an escalation of privileges, the ability to control the device, and the ability to view and steal data passing through it. Eclypsium researchers have warned that flaws in the drivers used by PoS systems make them susceptible to more pervasive and potentially devastating attacks. They evaluated the security of device drivers, the programs that enable applications to communicate with and use the system's hardware components. Their research project, dubbed Screwed Drivers, identified vulnerabilities and design flaws in 40 Windows drivers from at least 20 hardware vendors, highlighting the pervasive nature of these issues. Windows is often only associated with servers, workstations, and laptops, but these are not the only devices that can run Microsoft's operating system as it is also widely used on PoS terminals and other specialized equipment. According to the Eclypsium team, these devices are typically more difficult to update due to their use in regulated industries and environments. Therefore, updates must pass strict testing and certification. Long-term outages can result in business disruption and financial loss. As part of their study, the team discovered a vulnerability in a driver used in PoS systems as well as ATM models. The exploitation of vulnerable drivers can enable various attacks against PoS systems leading to privilege escalation, unauthorized access to sensitive information, and the theft of money or customer data. For example, by exploiting the vulnerability, an attacker could deploy a BIOS rootkit that can survive operating system reinstallations, potentially resulting in a highly persistent attack. Some sophisticated cybercriminal groups may find it extremely advantageous to hide malware in the BIOS so that it can survive operating system reinstallation, as this would allow them to repeatedly attack their targets. Destructive attacks that render devices inoperable are also possible.

Businesses that use a PoS system to accept payments should be aware of PoS attacks and their risks. Attacks against these systems can have severe consequences, including the loss of consumer data and financial losses. In order to stay on top of the latest PoS threats, businesses are encouraged to implement measures such as multi-layered security solutions. In addition, the security community must continue conducting research into the prevention of attacks on PoS systems.