POS Systems are Hackers Favorite
Point of Sales (PoS) systems have been one of the favorite targets of hackers for a number of reasons: the high value of the data being processed, the ease of access to the data and the commonly available network connectivity to send data out. Like many other systems, PoS probably was initially designed at a time when there were fewer security incidents and had higher priority goals like more functionalities, ease-of-use and lower cost.
Credit card or debit card numbers in the PoS systems are what hackers usually go after. In the underground market, these numbers can be sold from a few dollars to more than $100 a piece. The stolen numbers are then used to create counterfeit cards or to directly purchase goods from online stores. Hackers can make a profit if they find a way to harvest those credit card numbers at scale.
We’ve seen plenty of PoS hacking activities in the past, especially in the retailer and restaurant industries. Notable examples of such activities in retailers include the Target data breach in 2013 and the Home Depot data breach in 2014. In both cases, the retailers had to spend millions of dollars for an internal investigation, to settle with the banks and to settle with impacted customers. Examples of those in restaurants include the data breaches of P.F.Chang’s in 2014, and that of Wendy’s in 2015, though they made fewer headlines because of the smaller scale of the breaches.
Often the hacker’s campaign includes the following common steps: planting malware inside a victim’s network, collecting the card data from Point of Sales terminals/servers, and then sending that data out to a server controlled by hackers. For the first step, hackers can use common malware infection methods such as remote or direct access; for the second step, their techniques include RAM scrapers, network sniffers, and database theft, among others.
Once the hackers successfully collect the card data, it is critical for them to send the data out. Example methods include carrying the data out with a USB disk if they have physical access to the PoS, sending out emails or sending out to FTP/HTTP servers. They can also send the data out using DNS with a method called DNS tunneling, where sensitive data can be transported using the subdomain portions of a DNS query.
New PoS Malware that Uses DNS Tunneling
Off-the-shelf, ready-to-use DNS tunneling software such as Iodine and DNSCat is already available. Recently, security researchers found a new family of PoS malware called “UDPoS” that uses DNS tunneling to pass credit card data to ns[.]service-logmeln[.]network. (For a more detailed description, see https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns).
Based on the sample data, it is clear that the data was encrypted and there was no signature in the data itself. Thus, any signature-based-method, a common tactic to detect DNS tunnels, would fail to detect such data exfiltration. Enterprises cannot simply block the DNS protocol or port because DNS is a critical network infrastructure service. While blocking ns[.]service-logmeln[.]network would work for the sample data, hackers can simply change the domain name of their servers or even use advanced techniques such as DGA (Domain Generation Algorithm) to hide their server behind thousands of fake domain names, making blacklist-based blocking mechanisms ineffective.
Stopping PoS Attacks and DNS Tunneling
Fortunately, there is a method to detect such malicious activity—behavior-based anomaly detection in DNS. Even though the queries used by UDPoS are legitimate DNS queries, they behave quite differently than normal DNS queries in that they have very different lexical features. Giving an example, the following is one of the queries this malware generates: e8cdf1ce69ec8ac.bin.92753b5792ad47766fc0a6dc225d18[.]a0c4fce0ec0dc142692045ff94b8a9[.]d4641f118d09d2778136de79d6bebb[.]a1cad77d94396dd5550a344ddec895[.]ns[.]service-logmeln[.]network (credit: our colleagues in forcepoint)
Infoblox’s product line Threat Insight was built to detect such malicious activities in DNS traffic. Not only is it trained with trillions of real DNS queries, it is also directly integrated with Infoblox DNS products. Running on-premises or in-the-cloud, Threat Insight can detect data exfiltration over DNS tunneling as used by UDPoS. Infoblox Threat Insight can be deployed off-the-shelf without any special product configuration due to its artificial intelligence and machine learning algorithms. In a test case involving UDPoS on a network equipped with Threat Insight, Threat Insight detected the UDPoS activity as malicious after 7 to 44 queries (in different query configurations). Infoblox’s DNS firewall to block all future UDPoS communications based on the detections. This makes hackers’ lives miserable as their attempts would fail before significant amounts of data are exfiltrated. In addition, cloud-based Threat Insight can also detect DGA, Fast Flux (another blacklist evading technique). For details of DNSMessenger, see http://blog.talosintelligence.com/2017/03/dnsmessenger.html.
Infoblox offers a suite of security products including signature-based Advanced DNS Protection, advanced Threat Intelligence, and Threat Insight, as part of the ActiveTrust® and ActiveTrust® Cloud solutions. Together, these security products monitor DNS traffic at different checkpoints and disrupt malware communications. For more information, please visit infoblox.com.