Network Security Perspective: Point-of-Sale, Data Loss, and the Black Market

It’s all becoming so nefarious.  Today, we live, work, and play in a world that is riddled with bad guys going to great lengths to undermine the fabric of society through cybercrime.  Thankfully, there are also teams of incredible people with amazing minds analyzing, researching, and protecting businesses and consumers from the looming damage.   Just released, the McAfee Labs Threats Report: Fourth Quarter 2013, takes a deep dive into four trends which, if left unaddressed, could be devastating on so many levels.

This quarter’s report examines how malicious signed binaries undermine the stamp of approval that Certificate Authorities provide, describes how McAfee Labs uncovered a Microsoft Office zero-day vulnerability, and looks at the excessive data collection of mobile apps and their relationship to malware.  Of particular interest to me and my team, is how for-hire malware developers were at the heart of the point-of-sale (POS) attacks on Target and other retailers.

If you recall, in December a series of POS attacks made nationwide headlines.  From a network security perspective, the report is extremely helpful in dissecting and presenting the detail on credit card data breaches that occurred during the quarter.  Last month, I wrote a piece entitled, Stolen Data: Network Security Can Ensure You’re Not a Target, but the angle was about how the POS is no longer a proprietary system immune to targeted network attacks.  At the time, I did not have insight into the anatomy of these attacks.   But, as soon as McAfee Labs started digging in and analyzing the breaches, we gained and we shared some incredibly invaluable information – especially as it relates to proactive protection.

The most surprising discovery for me around the POS attacks is how the cybercrime ecosystem supported the attackers’ efforts.  According to the report, “The attackers purchased off-the-shelf POS malware, they made straightforward modifications so they could target their attacks, and it’s likely that they both tested their targets’ defenses and evaded those defenses using purchased software.” While this sounds like true innovation for cybercriminals, POS malware is not new.  During the last few years we have seen a notable rise in malware families including POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook, and others, many of which can be quickly purchased online.

The report goes into very interesting detail about the type of malware.  In fact, McAfee Labs learned that Target uses a custom-built POS application, making it impossible for the attackers to learn the system “offline” – and instead, required them to make several customizations to the BlackPOS malware in order to allow specific behavior within Target’s environment.  It’s quite helpful when McAfee Labs goes into detail about the code – for those who understand the more intricate workings of malware – while at the same time pointing out that this attack is really “far from advanced.”  This is an important factor in our future security developments – including data loss prevention and network based malware detection and protection that can discover and stop Trojans generated by these ‘kits.’

The other fascinating piece of the story is how McAfee Labs was able to uncover what happened to the millions of credit card numbers stolen from Target. Our analysts were able to track them back to an efficient black market for selling stolen credit card information — including an anonymous, virtual-currency-based point-of-sale payment system.  Thieves can pay for the stolen credits cards using one of the many anonymous virtual currency mechanisms, such as Bitcoin.

The McAfee Labs Threats Report: Fourth Quarter 2013  confirms that retail systems like the POS should be secured much like – or even more so – than a traditional enterprise network comprised of desktops, laptops and mobile devices.  As we’ve witnessed, the best defense against data-stealing malware is comprehensive threat protection, which is essentially an end-to-end security approach that allows the network to identify advanced malware and suspicious traffic designed to infiltrate and exfiltrate data.

Leave a Comment

three × one =