Sat, Jun 1, 2019
Kroll identified several point-of-sale (POS) compromise incidents via its cyber intake process during the month of May 2019, most commonly affecting the retail and service sectors. Cases included POS Shell and POSlurp malware variants as well as fraudulent Merchant Identification Number (MID) refund incidents.
According to Managing Director J. Andrew Valentine, many POS incidents today can be traced to networks being compromised by phishing emails. “About eight to 10 years ago, retail-focused cybercriminals saw the success other threat groups were having with social engineering tactics as an entry vector. They started to move from primarily technical attacks to phishing employees such as store managers and customer care personnel to gain access to networks,” explains Andy.
Andrew notes a recent case that underscores how cybercriminals have gotten very deliberate in their decision-making: “In this situation, a store manager received an email for an extremely lucrative catering order with details in an attachment. The Word document contained remote access malware that was designed to allow unauthorized access and facilitated the threat actor moving laterally to all the stores in the restauranteur’s environment. The attackers then deployed RAM scrapers set to deploy on Fridays when system memory was loaded with a full week’s worth of transactional data ripe for a maximum return of payment account numbers.”
Kroll has also been seeing a resurgence of MID refund fraud, which Andrew says was prevalent about two years ago before a substantial drop-off in activity. In many of these cases, cybercriminals take advantage of virtual terminals offered by their financial institution – either merchant acquirer or processor. Merchants are offered this option typically for instances where they don’t have physical access to customer cards, or physical payment terminals are down. (e.g., mail or telephone orders). These solutions allow merchants to accept credit card payments using their internet-connected computers. The trouble is that retailers often don’t know this resource is available. Attackers obtain merchant credentials (usernames and passwords) in any number of ways, including but not limited to social engineering, looking for credentials not erased from POS devices resold online or through auctions, or even from merchant information printed on receipts. With access to these merchant acquirer or processor virtual terminals, attackers can then force high-dollar refunds to be loaded onto gift cards or compromised credit cards without corresponding initial transaction.
“Unfortunately, many acquirers have no technology to validate that refunds are legitimate,” says Andrew, “and until very recently there were no requirements to match refunds to corresponding sales.” Andrew also points out that people who are assigned to validate refunds might not recognize high-dollar refunds as a red flag if these are common for the industry or business.
Beyond POS attacks, retailers are experiencing more ransomware as cybercriminals across industry sectors seek to optimize ways to monetize network access. Andrew says, “As we described in a previous newsletter, criminals have been following up banking trojan infections with ransomware after draining or diverting funds. We also recently had a case where attackers infected a system with cryptomining malware, but then launched ransomware when the return wasn’t sufficient. The moral of the story is that companies have to be as strategic in their defense as cybercriminals are in their attacks.” (See this issue’s Experts Corner for Andrew’s best practices for preventing and mitigating POS compromises.)
POS malware attack generally follows a five-step strategy:
How and why recent MID refund frauds work:
Threat actors posed as disgruntled customers and sent a strident complaint to a company’s online customer care center. As a follow-up to the company’s initial response, the fraudsters submitted a Word document that they claimed provided full details of their complaint. Upon opening the attachment, the customer care representative unwittingly unleashed malware that allowed unauthorized access to the merchant’s systems environment. This was followed shortly thereafter by a significant POS attack.
In one MID case that Kroll examined, a threat actor was using the credentials associated with a small enterprise’s payment terminal to issue fraudulent refunds of up to $1.3 million. Many of these refunds happened in the off-hours when no one was on the premises, which was indicative of a remote intrusion. An additional red flag was the fact that this client routinely processed only low-dollar transactions. Kroll determined the threat actors likely compromised a virtual terminal that was provided to the client by their payment processor and used this terminal to issue the fraudulent refunds.
Based on their fieldwork investigating numerous POS compromise cases, Andrew Valentine and Brandon Nesbit recommend these top five best practices for avoiding or mitigating POS fraud:
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll offers a wide range of services for both merchants and payment processors, from audits to incident management services, to pragmatic approaches for strengthening your cyber defenses.
Intelligent Endpoint detection and response: Maximum confidence in data security
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.