Targeted Malware directly effecting ePoS running windows XP is out there and happening now.
While it my not pose a risk to you today, it will rear its head on your system. If you are still running Windows XP then you really need to get off it and do it today. Windows XP as you should be aware went end of life last April, yes that’s almost a year ago. Windows XP was last sold in 2008 so if you have equipment running it you have definitely got your monies worth. Our advise is to purchase either new equipment with Windows 8 or upgrade your software the first being the best an most obvious as there is no point upgrading old equipment.
Two notable malware infections are currently out, yes they are targeting payment processing but have the ability to clone your customer information even without you running a payment solution on your ePoS system.
1. In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.
This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.
Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack. (Krebsonsecurity.com, 2015)
2. Security vendor Trend Micro has warned of a new strain of point-of-sale (PoS) malware designed to lift and exfiltrate customer card data, which has managed to stay undetected since 2013. The analysts who discovered the malware believe this has been in use by criminals since 2013 and possibly even earlier. The malware has been named PwnPOS.
So how come it took so long for it to be spotted?
As the analysts explained “PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years due to its simple but thoughtful construction,”
The malware is constructed from two components a RAM scraper binary and a binary responsible for data exfiltration – PwnPOS works similarly to most other known POS malware in that it enumerates all running processes, it searches for payment card data and dumps it into a separate file, then compresses and encrypts it, and exfiltrates it via an email to a pre-defined mail account via SMTP with SSL and authentication.
“Rather than utilizing a third-party executable to send email, it utilizes a known AutoIt routine that makes use of the Collaboration Data Objects (CDO) API suite that is built-in with Microsoft Windows,” Threats Analyst Jay Yaneza shared.
The malware ensures its persistence and hides on the machine by being able to add and remove itself from the list of services, to download and delete files as needed, to masquerade malicious files as benign ones and hiding them within the %SYSTEM$ directory, and to store the stolen data in a .dat file that doesn’t look out of place in the %SystemRoot%\system32 directory.
“While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors,” Yaneza noted.
“We have seen PwnPOS operating with other PoS malware like BlackPOS and Alina, among small-to-medium businesses (SMB) within Japan, APAC (Australia, India), NABU (United States and Canada) and EMEA (Germany, Romania) running 32-bit versions of either Windows XP or Windows 7.”
The company has provided threat indicators and a YARA rule to detect the RAM scraper component.
Reference @TrendMicro also (Ronan MurphyCEO Smarttech & Chairman of the Board at it@Cork European Technology Cluster)