Credit and debit card data theft is one of the earliest forms of cybercrime and persists today. Cybercrime gangs organize sophisticated operations to steal vast amounts of data before selling it in underground marketplaces. Criminals can use the data stolen from a card’s magnetic strip to create clones. It’s a potentially lucrative business with individual cards selling for up to $100.
There are several routes attackers can take to steal this data. One option is to gain access to a database where card data is stored. Another option is to target the point at which a retailer first acquires that card data – the Point of Sale (POS) system.
Modern POS systems are specially configured computers with sales software installed and are equipped with a card reader. Card data can be stolen by installing a device onto the card reader which can read the data off the card’s magnetic strip. This is a process known as “skimming”. As this requires additional hardware and physical access to the card reader it is difficult to carry out this type of theft on a large scale.
This led to the development of malware which can copy the card data as soon as it’s read by the card reader. The first such attacks of this type were seen in 2005 with a series of campaigns orchestrated by Albert Gonzalez. These attacks led to the theft of over 170 million card numbers. Since then, an industry has developed around attacking POS systems, with tools readily available on the underground marketplace.
Despite improvements in card security technologies and the requirements of the Payment Card Industry Data Security Standard (PCI DSS), there are still gaps in the security of POS systems. This coupled with more general security weaknesses in corporate IT infrastructure means that retailers find themselves exposed to increasingly resourceful and organized cybercriminal gangs.
Symantec’s Security Response team has released a whitepaper reporting on Attacks on Point of Sale Systems including mitigation strategies. This whitepaper can be found here:
SOC DETECTION CAPABILITIES:
Emergency response measures have been taken in order to provide MSS customers with early warning and potential escalations for successful exploitations related to this threat. Emergency response signatures may generate false positives and will undergo tuning to ensure enhanced accuracy over time; however, given the nature of the threat, it is prudent to be overly cautious about alerting to potentially related activity. Please contact the SOC’s Analysis team if you have any questions or concerns related to this detection or wish to discuss having such signatures disabled or otherwise adjusted to meet your organization’s needs.
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, please contact support@monitoredsecurity.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring for these vulnerabilities once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
Symantec MSS SOC Analytics Detection
- [MSS URL Detection] Possible Infostealer.Dexter Outbound Communications
- [MSS URL Detection] Possible InfoStealer.Fysna (ChewBacca) Command and Control Activity
Vendor Detection
Symantec AV:
- Infostealer.Reedum
- Infostealer.Reedum.B
- Infostealer.Reedum.C
- Infostealer.Reedum!g2
- Infostealer.Dexter
- Infostealer.Alina
- Infostealer.Vskim
- Infostealer.Fysna
Symantec IPS:
- System Infected: Trojan.Dexter Communication
- System Infected: Trojan.Dexter Communication 2
- System Infected: Trojan.Dexter Communication 3
- System Infected: Trojan.Alina
- System Infected: Trojan.Vskim
- System Infected: Infostealer.Fysna Activity
Palo Alto:
- spyware[4]/Dexter.POS Command and Control Traffic(13305)
Snort/Sourcefire:
- SID 29421 - MALWARE-CNC Win.Trojan.Reedum BlackPoS outbound FTP connection
- SID 29422 - MALWARE-CNC Win.Trojan.Reedum BlackPoS outbound FTP connection
- SID 25553 - MALWARE-CNC Win.Trojan.Dexter variant outbound connection
- SID 29416 - MALWARE-CNC Win.Trojan.vSkimmer outbound connection
- SID 29440 - MALWARE-CNC Win.Trojan.Chewbacca outbound communication attempt
REFERENCES:
- A Special Report on Attacks on Point of Sales Systems
- To Protect Your Point of Sale (POS) systems, Add Layers
- Symantec Endpoint Protection (SEP) 12 Migration
http://www.symantec.com/page.jsp?id=sep12-migration
- How to Secure Your Mobile Point of Sale Devices
http://www.symantec.com/connect/blogs/how-secure-your-mobile-point-sale-devices
- Demystifying Point of Sale Malware and Attacks
http://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks
- Infostealer.Reedum
http://www.symantec.com/security_response/writeup.jsp?docid=2013-032914-2036-99
- Infostealer.Reedum.B
http://www.symantec.com/security_response/writeup.jsp?docid=2013-121909-3813-99
- Infostealer.Reedum.C
http://www.symantec.com/security_response/writeup.jsp?docid=2013-121920-1520-99
- Infostealer.Reedum!g2
http://www.symantec.com/security_response/writeup.jsp?docid=2014-013009-4928-99
- Infostealer.Dexter
http://www.symantec.com/security_response/writeup.jsp?docid=2012-121219-2643-99
- Infostealer.Alina
http://www.symantec.com/security_response/writeup.jsp?docid=2013-021112-1503-99
- Infostealer.Vskim
http://www.symantec.com/security_response/writeup.jsp?docid=2013-012807-1646-99
- Infostealer.Fysna
http://www.symantec.com/security_response/writeup.jsp?docid=2013-121813-2446-99
- System Infected: Trojan.Dexter Communication
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26265
- System Infected: Trojan.Dexter Communication 2
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27108
- System Infected: Trojan.Dexter Communication 3
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27206
- System Infected: Infostealer.Alina
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26451
- System Infected: Trojan.Vskim
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26651
- System Infected: Infostealer.Fysna Activity
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27226
We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback regarding please contact your Services Manager or the Analysis Team, who can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team, Symantec Managed Security Services
NAM (Herndon, VA) Toll Free +1-888-467-4748 / International +1-703-414-4444
APJ (Sydney, Australia) +61-2-9086-8400 | (Tokyo, JP) +81-3-5114-4700
EMEA (Reading, UK) +44-(0)-207-949-0200