Kroll identified several point-of-sale (POS) compromise incidents via its cyber intake process during the month of May 2019, most commonly affecting the retail and service sectors. Cases included POS Shell and POSlurp malware variants as well as fraudulent Merchant Identification Number (MID) refund incidents.
According to Managing Director J. Andrew Valentine, many POS incidents today can be traced to networks being compromised by phishing emails. “About eight to 10 years ago, retail-focused cybercriminals saw the success other threat groups were having with social engineering tactics as an entry vector. They started to move from primarily technical attacks to phishing employees such as store managers and customer care personnel to gain access to networks,” explains Andy.
Andrew notes a recent case that underscores how cybercriminals have gotten very deliberate in their decision-making: “In this situation, a store manager received an email for an extremely lucrative catering order with details in an attachment. The Word document contained remote access malware that was designed to allow unauthorized access and facilitated the threat actor moving laterally to all the stores in the restauranteur’s environment. The attackers then deployed RAM scrapers set to deploy on Fridays when system memory was loaded with a full week’s worth of transactional data ripe for a maximum return of payment account numbers.”
MID Refund Fraud Making a Comeback
Kroll has also been seeing a resurgence of MID refund fraud, which Andrew says was prevalent about two years ago before a substantial drop-off in activity. In many of these cases, cybercriminals take advantage of virtual terminals offered by their financial institution – either merchant acquirer or processor. Merchants are offered this option typically for instances where they don’t have physical access to customer cards, or physical payment terminals are down. (e.g., mail or telephone orders). These solutions allow merchants to accept credit card payments using their internet-connected computers. The trouble is that retailers often don’t know this resource is available. Attackers obtain merchant credentials (usernames and passwords) in any number of ways, including but not limited to social engineering, looking for credentials not erased from POS devices resold online or through auctions, or even from merchant information printed on receipts. With access to these merchant acquirer or processor virtual terminals, attackers can then force high-dollar refunds to be loaded onto gift cards or compromised credit cards without corresponding initial transaction.
“Unfortunately, many acquirers have no technology to validate that refunds are legitimate,” says Andrew, “and until very recently there were no requirements to match refunds to corresponding sales.” Andrew also points out that people who are assigned to validate refunds might not recognize high-dollar refunds as a red flag if these are common for the industry or business.
Beyond POS attacks, retailers are experiencing more ransomware as cybercriminals across industry sectors seek to optimize ways to monetize network access. Andrew says, “As we described in a previous newsletter, criminals have been following up banking trojan infections with ransomware after draining or diverting funds. We also recently had a case where attackers infected a system with cryptomining malware, but then launched ransomware when the return wasn’t sufficient. The moral of the story is that companies have to be as strategic in their defense as cybercriminals are in their attacks.” (See this issue’s Experts Corner for Andrew’s best practices for preventing and mitigating POS compromises.)
Technically Speaking – POS Malware Attack
POS malware attack generally follows a five-step strategy:
Malware is introduced onto the targeted system or network, often via email compromise or after exploring vulnerable / unpatched systems
Malware then scans and monitors processes to find data, creates or modifies registry entries to maintain persistence, and may even introduce additional elements such as keyloggers or bot functionality.
Using RAM “scrapers”, it evaluates the clear-text RAM data to differentiate between encrypted payment data versus other types of data.
Payment card data is extracted and transmitted back to the criminals via a command and control (C2) server.
Attackers use the information to create fraudulent cards for physical use at retail stores and automated teller machines (ATMs), to make online purchases, or to sell for profit on black market websites or forums.
Technically Speaking – MID Refund Fraud
How and why recent MID refund frauds work:
- Intelligence Gathering
Criminals obtain a merchant’s credentials (e.g., username, password, merchant ID number) through social engineering, email-based attacks, purchase of used POS devices where credentials have not been erased, etc.
Attackers program purchased POS devices with the merchant’s credentials or gain access to a merchant’s virtual terminal with credentials obtained during intelligence-gathering.
Refunds are forced through the payment system without a corresponding sales transaction, and the funds are loaded on a gift card.
- Evade Detection
Refund requests are rarely validated against real transaction IDs; monitoring is human-based and often not vigilant; attackers can mask fraudulent requests with legitimate batches so detection becomes even harder
- Loss Recognition
Businesses recognize an imbalance in their financial reporting after extensive losses
Threat actors posed as disgruntled customers and sent a strident complaint to a company’s online customer care center. As a follow-up to the company’s initial response, the fraudsters submitted a Word document that they claimed provided full details of their complaint. Upon opening the attachment, the customer care representative unwittingly unleashed malware that allowed unauthorized access to the merchant’s systems environment. This was followed shortly thereafter by a significant POS attack.
In one MID case that Kroll examined, a threat actor was using the credentials associated with a small enterprise’s payment terminal to issue fraudulent refunds of up to $1.3 million. Many of these refunds happened in the off-hours when no one was on the premises, which was indicative of a remote intrusion. An additional red flag was the fact that this client routinely processed only low-dollar transactions. Kroll determined the threat actors likely compromised a virtual terminal that was provided to the client by their payment processor and used this terminal to issue the fraudulent refunds.
Kroll Experts Corner: Top Five Best Practices for Mitigating POS Compromises
Based on their fieldwork investigating numerous POS compromise cases, Andrew Valentine and Brandon Nesbit recommend these top five best practices for avoiding or mitigating POS fraud:
- Segregate Payment and Corporate Networks
This separation will help keep intruders from moving between these systems. On a related note, ensure systems in the cardholder data environment cannot communicate directly to the internet nor to other systems with that capability.
- Restrict Outbound Activity From the Card Processing Environment
Restrict this activity to only specific destinations required for transaction processing. Consider going further by including a whitelist of only trusted programs, websites, IP addresses and associated ports and protocols.
- Implement End-to-End Encryption (E2EE) on Payment Devices
E2EE effectively prevents RAM-scraping malware from carving cardholder data out of memory.
- Conduct Regular Employee Training and Security Awareness
Pay particular attention to social engineering schemes and help employees learn how to spot phishing emails and other attempts to manipulate them into providing access.
- Implement Multi-factor Authentication for All Privileged Accounts and Remote Access
Merchants should work to implement a multi-factor authentication schema for all remote access into both corporate and PCI environments.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.