New Report Analyzes Point of Sale Malware

A report from security vendor Cyphort takes a look at the main malware families behind recent retail breaches.

retail security

Over the course of the last 12 months, there has been a relentless string of disclosures about retail data breaches, typically as a result of some form of point-of-sale (POS) malware. A new report from security vendor Cyphort analyzes some of the main culprits.

One of the largest retail breaches of the last year involves Home Depot, which impacted 56 million credit cards and 53 million email accounts. Home Depot first confirmed it was the victim of a data breach in September, noting that the malware that hit its operations was previously unknown.

Dr. Fengmin Gong, co-founder and chief architect at Cyphort, suspects that the malware behind the Home Depot breach is one known as FrameworkPOS, though there is reason for some doubt.

"Cyphort does not have a sample in hand with proper chain of custody to link to Home Depot," Gong told eWEEK. "We believe it to be FrameworkPOS based on our analyses of all POS samples we do have and other research reports in the community."

Gong added that it's also possible that the malware that hit Home Depot is a variant of Backoff, given that it's unknown from Home Depot's perspective. The focus of Cyphort is more on the behavior of the various POS malware families than on which one was used in a particular breach, he said.

The Backoff malware family was first publicly disclosed by the United States Secret Service in July. At least 1,000 retailers have been impacted by Backoff.

In addition to Backoff and FrameworkPOS, Cyphort has analyzed a malware family known as BlackPOS, which the company suspects was behind the Target breach in November 2013. In the Target breach, 70 million customers were impacted, and the retailer publicly stated in August that it would be taking a $148 million charge to cover breach-related expenses.

Across Backoff, FrameworkPOS and BlackPOS, there are a number of common characteristics. The most common characteristic is that they all include the capability to perform credit card information harvesting, using memory scraping on the POS machines, according to Gong. Beyond that, Backoff sets itself apart from FrameworkPOS and BlackPOS in many aspects of its sophistication and capability, he added.

Security vendor Trustwave is credited by the U.S. Secret Service as helping to initially discover Backoff malware. Trustwave Lead Security Researcher Ryan Merritt explained to eWEEK that all of the POS malware families scrape running memory (RAM) to pull out credit card numbers as they are being processed. Some malware families are more specific about what they are targeting in memory, but they are all memory scrapers, he said.

"The main functionality is quite similar. Some even argued that BlackPOS and FrameworkPOS were the same family," Merritt said. "But the biggest differences typically are in how the malware handles maintaining its own persistence on the victim system, and if it handles the exfiltration of the compromised card data."

Within the POS malware families, there are now multiple variants as well. In fact, Backoff has more than 10 discovered variants at this point, according to Merritt.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.