Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Symantec MSS Threat Landscape Update: Point of Sale Malware

Created: 10 Feb 2014 • Updated: 17 Mar 2014
MSS Global Threat Response's picture
+2 2 Votes
Login to vote

EXECUTIVE SUMMARY:

Credit and debit card data theft is one of the earliest forms of cybercrime and persists today. Cybercrime gangs organize sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card’s magnetic strip to create clones. It’s a potentially lucrative business with individual cards selling for up to $100.

There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored.  Another option is to target the point at which a retailer first acquires that card data – the Point of Sale (POS) system.

Modern POS systems are specially configured computers with sales software installed and are equipped with a card reader. Card data can be stolen by installing a device onto the card reader which can read the data off the card’s magnetic strip. This is a process known as “skimming”. As this requires additional hardware and physical access to the card reader it is difficult to carry out this type of theft on a large scale.

This led to the development of malware which can copy the card data as soon as it’s read by the card reader. The first such attacks of this type were seen in 2005 with a series of campaigns orchestrated by Albert Gonzalez. These attacks led to the theft of over 170 million card numbers. Since then, an industry has developed around attacking POS systems, with tools readily available on the underground marketplace.

Despite improvements in card security technologies and the requirements of the Payment Card Industry Data Security Standard (PCI DSS), there are still gaps in the security of POS systems. This coupled with more general security weaknesses in corporate IT infrastructure means that retailers find themselves exposed to increasingly resourceful and organized cybercriminal gangs.

Symantec’s Security Response team has released a whitepaper reporting on Attacks on Point of Sale Systems including mitigation strategies. This whitepaper can be found here:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/attacks_on_point_of_sale_systems.pdf

 

SOC DETECTION CAPABILITIES: 

Emergency response measures have been taken in order to provide MSS customers with early warning and potential escalations for successful exploitations related to this threat. Emergency response signatures may generate false positives and will undergo tuning to ensure enhanced accuracy over time; however, given the nature of the threat, it is prudent to be overly cautious about alerting to potentially related activity. Please contact the SOC’s Analysis team if you have any questions or concerns related to this detection or wish to discuss having such signatures disabled or otherwise adjusted to meet your organization’s needs.

For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation.  If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS Portal at https://mss.symantec.com.

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring for these vulnerabilities once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

Symantec MSS SOC Analytics Detection

  • [MSS URL Detection] Possible Infostealer.Dexter Outbound Communications
  • [MSS URL Detection] Possible InfoStealer.Fysna (ChewBacca) Command and Control Activity

Vendor Detection

Symantec AV:

  • Infostealer.Reedum
  • Infostealer.Reedum.B
  • Infostealer.Reedum.C
  • Infostealer.Reedum!g2
  • Infostealer.Dexter
  • Infostealer.Alina
  • Infostealer.Vskim
  • Infostealer.Fysna

Symantec IPS:

  • System Infected: Trojan.Dexter Communication
  • System Infected: Trojan.Dexter Communication 2
  • System Infected: Trojan.Dexter Communication 3
  • System Infected: Trojan.Alina
  • System Infected: Trojan.Vskim
  • System Infected: Infostealer.Fysna Activity

Palo Alto

Snort/Sourcefire

 

    REFERENCES:

    We thank you for choosing Symantec as your Managed Security Services Provider.  Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.

    Global Client Services Team

    Symantec Managed Security Services

    https://mss.symantec.com