New research from Arbor Networks has revealed that over the last several years, PoS attack campaigns have evolved from opportunistic attacks involving crude theft of card data with no centralized command and control. They morphed into memory-scraping PoS botnets with centralized C&Cs, and most recently have become highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization.
“While contemporary PoS attackers are still successful in using older tools and methodologies that continue to bring results due to poor security, the more ambitious threat actors have moved rapidly, penetrating organizational defenses with targeted attack campaigns,” wrote the company, in a blog.
It also noted the substantial compromise lifespans within organizations that have active security teams and managed infrastructure. “The longevity and extent of attack campaigns is a serious concern,” the company noted. “Point of sale compromises have proliferated for months prior to detection. If attackers are able to launch long-running campaigns in such enterprise retail environments, one can conclude that many other organizations with less mature network and infrastructure management are also at serious risk.”
Arbor ASERT is currently tracking Dexter and Project Hook malware activity, along with other PoS malware including Alina, Chewbacca, Vskimmer and JackPoS. It also has followed less popular malware such as variants of POSCardStealer and others.
Of particular note is Alina, which has been developed since at least March of 2012, with the most recent development taking place in Feb of 2014. Alina seems to be popular, and new instances appear frequently, Arbor noted.
“Organizations of all sizes are encouraged to seriously consider a significant security review of any PoS deployment infrastructure to detect existing compromises as well as to strengthen defenses against an adversary that continues to proliferate and expand attack capabilities,” it concluded.