Cybersecurity Firm Attivo Warns New POS Hacks Coming

Most often, hackers move laterally, undetected through networks, compromising asset management servers and using them to plant malware on POS terminals.

Remember the highly publicized attacks on Target stores in December 2013 and Home Depot in September 2014 that stole millions of credit card numbers and PINs at POS terminals? These types of attacks are not going away anytime soon and, in fact, are becoming more frequent, according to a new industry report.

Deception cybersecurity software provider Attivo Networks issued research Dec. 7 that warns about serious vulnerabilities in the nation's point-of-sale systems that could lead to more large retail-system breaches during the holiday shopping period and into next year.

Fremont, Calif.-based Attivo, which specializes in creating bogus but realistic copies of IT systems in order to attract, catch and contain cyber-criminals, detailed in the report how attackers are now operating in order to hack into such systems.

Most often they move laterally, undetected through networks, compromising asset management servers and then using them to plant malware on POS terminals for either timed or remote activation, creating the foundation for wide-scale credit-card information theft.

Details in the Report

The report, available here, covers:

--details of the vulnerabilities and three cases of breach within large, regional and mid-sized retail organizations;

--the anatomy and findings from these attacks; and

--recommendations for early attack visibility and detection.

The report points out that many of today's POS devices are particularly vulnerable to malware since they run on older, unprotected Windows XP or even DOS-based systems, for which anti-virus is not available.

Additionally, in some cases, the patch management systems run in trusted modes, and there may be not be anti-virus running at all. The report notes that having endpoint security solution is not a fail safe way to prevent attacks because many of these attacks are targeted and originate from the endpoints and use stolen credentials to breach the systems.

Early Visibility into Threat is Key

"Early visibility into these threats and the reduction of dwell time can mean the difference between a minor incident or a wide scale public breach," Marc Feghali, co-founder of Attivo Networks said. "We found that deception changes the game and adds detection in the heart of the attacker operations. Early detection of attempts to compromise asset management servers, POS terminals and gateways is the key to stopping wide-scale attacks and the breaches we all too often read about."

Traditional security devices have proven to be ineffective in detecting an attacker's lateral movement, Feghali said, in providing malware activation visibility between asset servers and POS terminals, and in accurately correlating attack forensic data according to the report.

The lack of visibility into POS attacks provides an environment where attackers can operate with as much time as they need to find and compromise a key asset such as an Active Directory or patch management server that will expose the POS payment processing gateways, Feghali said.

Once identified, the attacker deploys malware through the patch-management software and then compromises the payment processing application using a RAM scraper as a final payload of the attack to steal and upload card data. Once compromised, it remains a constant challenge for organizations to have visibility into how widespread the attack may be and how to conclusively shut down these attacks, the report said.

First Time Deception Security Used in POS Sector

This was the first time deception technology has been used to provide visibility into a POS attack, as well as defeat it. Researchers introduced deception technology into POS networks and found that creating lures and decoys could successfully trick attackers into revealing themselves through initial and ongoing attack phases.

"Based on this research, we predict that in 2017 there will be a significant increase in reported POS attacks, largely due to the high probability that these systems have already been breached and attackers are already active throughout many networks today, undetected and unchecked," said Attivo CEO Tushar Kothari.

"There is a high likelihood that breaches during this holiday period won't be detected until well later in the year, and unfortunately well after the cardholders have suffered the consequence of shopping for what will no longer feel like a good holiday deal."

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor of Features & Analysis at eWEEK, responsible in large part for the publication's coverage areas. In his 12 years and more than 3,900 stories at eWEEK, he...