Background
Point of Sale (POS) threats are often associated with the retail industry because of the large number of high-profile retailers who have suffered significant losses (2014 became known as the ‘year of the mega breach’). In 2015, high profile losses also hit the hospitality industry, with several large chains disclosing breaches. According to the 2016 Verizon Data Breach Investigations Report, attacks against POS environments were responsible for 95% of the confirmed data breaches in its Accommodation customers, and 64% in its Retail customers.
The Trend Micro Cyber Safety Solutions Team recently published a report on FastPOS that highlights the risk to smaller organizations. FastPOS is a new malware variant that harvests both card data via a RAM scraper, and credentials via a keystroke logger.
FastPOS is noteworthy for a couple of reasons:
- It sends the harvested data back to its C&C server immediately, rather than storing it on-site before exfiltration. In fact, it earned its moniker because of the unusually fast rate with which it exfiltrates any data it has stolen.
- The C&C server is also a forum for monetizing stolen cardholder data; below is a screenshot of cardholder data available for purchase.
Impact on you
FastPOS is important to note as well because it has targeted smaller organizations as well as larger enterprises. Because of the speed with which FastPOS extracts data, smaller networks will likely have less chance to detect this threat and they may have not deployed the sophisticated threat detection technologies that would alert them to the harvesting and exfiltration of cardholder data.
FastPOS represents a threat to all industries and organizations that use POS systems. The Trend Micro report sums it up well:
Regardless of size and industry, an organization or a company can be affected by Point-of-Sale (PoS) threats. For more than three years, we have monitored and reported PoS threats targeting diverse verticals beyond retail; we have seen attacks affecting airports and parking lots, among others. It is a mainstream threat that has continuously evolved its tactics to expand their target base.”
How AlienVault Helps
The AlienVault Unified Security Management (USM) platform provides the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like FastPOS. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep users up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.
The Labs team recently updated the USM platform’s ability to detect this new POS malware by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a compromised system. These updates are described in latest AlienVault Labs Threat Intelligence Update in our forum, and are now available for USM users.
You can explore additional information related to this threat in the AlienVault Open Threat Exchange (OTX):
USM also integrates with OTX, which means means that USM users are alerted whenever indicators of compromise (IOCs) being discussed in OTX are detected on their network. Learn more about the OTX/USM integration here.