Security Best Practice for Protecting Against Memory Scraping Malware in Target & Home Depot

Credit and debit cards stolen from bricks-and-mortar stores sell on the black market for at least ten times the price of cards stolen from online merchants. There are plenty of TOR accessible card shops that will happily buy the cards from hackers and resell them on the open market. A card stolen from a bricks-and-mortar store can be reused in a real store to buy high value electronic goods or gift cards that can be easily converted into cash. Cards stolen online require a card verification value (CVV) and can only be used by online stores willing to send high value goods to a different shipping address from the billing address.

The two most recent major bricks-and-mortar store card breach stories that have appeared in the news recently are Home Depot where 56m customers’ card details have been stolen and Target where 70m customers’ card details have been stolen. In both cases the point of sales (POS) systems were been breached by variants of the same memory scraping malware. BlackPOS / Kaptoxa in the case of TARGET and Framework POS in the case of Home Depot. Both malwares run inside the POS system (running on Windows OS) and are registered as a service. Both malwares read card data before it is encrypted and then collate and later output the card data which is then made available as ‘dumps’ on black market stores.

Black POS / Kaptoxa behind the TARGET breach:

BlackPOS / Kaptoxa (file name: “Trojan.POSRAM”) is a memory scraping malware designed to compromise payment information systems. It is this malware, whose source was made available online in 2012, that compromised the payment data of as many as 70 million customers who shopped at Target & 56 million customers who shopped at Home Depot. Memory scraping malware works by residing in a POS terminal where it monitors the information being processed by payment application programs. Payment card security (e.g PCI-DSS) require that merchants encrypt credit card data at the point of sale. However there is a brief period of time during the payment authorisation process when the payment card data is held unencrypted in memory. The copied data then resides on the affected POS terminals for a period of time until it is aggregated to a central location and a series of remote FTP transfers are used to retrieve the stolen data. Kaptoxa was able therefore to access and copy payment card data, including credit and debit card numbers, personal identification numbers (PINs), expiration dates, email addresses, consumer addresses and telephone numbers.

Framework POS:

The credit card-stealing program (detected by Trend Micro as TPSY_MEMLOG.A) used in the attack on the Atlanta-based retailer is dubbed as Framework POS. This malware registered itself as an Anti Virus software on the POS terminal operating system in order to avoid being detected & deleted from the infected POS terminals.

How does PoS Malware get installed?

In order for Point of Sales memory scraping malware to work it must be installed on the point of sales machine and registered as a service. There are a number of possible ways for such memory scraping malware to become installed on Point of Sales machines:

  1. Through a compromised software release lifecycle where the malware is deployed along with other software components to the target systems
  2. Through a compromised Remote-Desktop solutions that allow remote deployment of the malware and registering of the malware service
  3. Through a SQL Injection attack that allows either deployment of software, registration of a service or extraction of data
  4. Through a targeted spear phishing attack that compromises an internal employee or failure to remove a leavers privileges from business services

Inappropriate access controls allowed the Target Hackers Broke in Via HVAC Company and the breach was exacerbated by a SQL Injection attack for service registration & FTP data extraction. In the Target breach the intruders were able to set up a control server within Target’s internal network that served as a central repository for data collated from all of the infected POS terminals.

The Home Depot breach was likely due to an exposed remote desktop. According to the US-CERT Backoff PoS Malware: Recent investigations have revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

How to protect against a similar attack

The mechanisms of infection in the Target & Home Depot breaches were different even though there was similarity between the malware. The following are best practices to avoid similar breaches within your organisation:

  1. Manage the software release lifecycle so that deployed packages match pre-defined & agreed package names in order to make deployed code less likely (e.g use OSGi packages)
  2. Use your identity management system to manage access control to software promotion systems with strong authentication & password vaulting
  3. Similarly manage access to operating systems and virtual machines so that the same strong authentication is enforced for the underlying OS & VM
  4. Turn off remote desktops for production environments or enforce strong authentication & password vaulting if strictly necessary
  5. Constantly monitor your internal network for exposed ports as collated credit & debit cards still needed to be extracted from the organisation

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s