As far back as July 2013, hackers breached the Point of Sale (PoS) networks of luxury department store chain Neiman Marcus. The attack was discovered and contained on Jan. 12,, 2014.
Targets
Credit card and debit card data of Neiman Marcus customers was stolen. In addition, Neiman Marcus reported that:
- The compromise affected only in-store customers — online customers were not affected.
- The PIN data associated with the cards was not affected as PoS systems do not use PINs.
- Birth dates and Social Security Numbers (SSN) were not stolen.
- The malware suspected to be behind the incident affects Windows-based PoS terminals.
Technical details
This breach has unique characteristics that match the Target stores compromise of Black Friday of 2013. The similarity in details suggests that a similar technique was used in both attacks. Researchers currently believe that the BlackPOS malware is responsible for this incident.
BlackPOS malware, also known as “reedum” or “Kaptoxa,” is a crimeware kit created in March 2013 and available in underground sites for a small price (about $2000). The alleged creator of the BlackPOS malware is a 17-year-old Russian teenager by the name of “Sergey Taraspov.”
It has been reported that the malware writer has sold 40 copies of the malware so far. As a result of the financial motivation behind PoS attacks, and simplicity of obtaining and using the crimeware kit, it is expected that more retailers will fall victim to similar incidents in 2014.
It is worthwhile to note that a similar PoS malware, vSkimmer, was discovered in early 2013. The version of BlackPOS used in this incident is simpler than vSkimmer as it lacks certain functionalities. In general, the BlackPOS malware lacks certain evasion and stealth techniques used by more advanced malware; however, it is effective in practice and has managed to cause a considerable amount of damage.
Properties of the BlackPOS Malware
BlackPOS malware is written in VBScript and has RAM Scraping capabilities, also known as POSRAM. It scans the memory (RAM) of the PoS devices looking for patterns of card numbers. The RAM Scraping technique exploits the brief time during which the credit card data is stored in unencrypted/raw form inside the device memory, effectively circumventing most of the encryption techniques used to secure the data.
Infection Mechanism
BlackPOS infects computers running Windows that are part of PoS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials. In some rare cases, the malware is also deployed with help from insiders.
Data Communication with Command and Control
BlackPOS stores all the financial data it obtains in a data file locally and regularly attempts to send the data to the malware operators. It uses FTP to move the TXT file from the PoS system to the malware operator server.
At this time, there is no indication of BlackPOS using advanced techniques such as Domain Generation Algorithms (DGA) and/or FastFlux to hide the location of its servers.
Unlike the recently discovered vSkimmer malware, BlackPOS doesn’t have an offline data extraction method.
How existing security defenses are circumvented
Reports indicate that the malware has evaded detection by anti-virus software when it infected the Windows-based PoS terminals.
How Infoblox can help protect against this attack
BASICS – AVOIDING INFECTION
- Patch operating system vulnerabilities.
- Harden the PoS systems by blocking all incoming connections from the Internet. This can be done by properly configuring firewalls and closing unnecessary ports.
- Avoid using weak and default passwords for remote access. It is suspected that some of the infections by the BlackPOS are due to weak passwords used in PoS terminal setups.
ATTACKED & INFECTED? – DISRUPT COMMUNICATION TO THE INTERNET
- Use a whitelist approach and disallow any connection at IP level to unrecognized destinations. Only allow connections to a precompiled list of payment processor IPs/Domains.
- Disable outbound FTP and other unnecessary protocols.
External sources
- Neiman Marcus Hack Went Undetected For 5 Months: Report, by Huffington Post
- Report: Neiman Marcus data breach occurred as far back as July, by Chicago Tribune
- BlackPOS Malware developed by 17-Year Old Russian Hacker, by The Hacker News
- Neiman Marcus says SSNs & birth dates not take in breach, by PCWorld
- Researchers find new point-of-sale malware called BlackPOS, by PCWorld
- VSkimmer Botnet Targets Credit Card Payment Terminals, by McAfee Blog Central