Kiosk Hack Swarms Employee Break Rooms with PoS Malware

Written by

Hackers infiltrating food kiosk giant Avanti Markets may have jeopardized customer payment card information as well as biometric data.

Avanti offers kiosks installed in corporate break rooms that are tied to vending machines—they allow employees to buy snacks and drinks with a card, fingerprint scan or cash. The company claims 1.6 million users.

“On July 4, 2017, we discovered a sophisticated malware attack which affected kiosks at some Avanti Markets,” the company said in a statement. “Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks. Because not all of our kiosks are configured or used the same way, personal information on some kiosks may have been adversely affected, while other kiosks may not have been affected.”

Risk Analytics, in an analysis of the situation (confirmed by Brian Krebs to indeed be the Avanti issue), explained the reasons for this lack of conformity:

“A large nationwide vendor that provides self-service kiosks was impacted, and an update was pushed out to these kiosks in the field. The kiosks and the break room supplies (such as drinks, candy, chips and other snacks) are often installed and maintained by local Value-Added-Resellers. In our analysis of the incident, it seems most likely that the larger vendor was compromised, and some or all of the kiosks maintained by local vendors were impacted. We’ve been able to identify at least two smaller vendors with local operations that have been impacted in two different cities though we are not naming any impacted vendors yet, as we’ve been unable to contact them directly.”

In any event, the malware, like most point-of-sale malware, appears to have been designed to lift the cardholder’s first and last name, card number and expiration date—as well as other information.

“In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” Avanti added.

According to Risk Analytics, that malware is likely the PoSeidon/FindPOS malware, which has been circulating since 2015. “The presence of the PoSeidon/FindPOS SSL certificate is enough of an indicator that we’re comfortable using it to identify and block C2 operations,” the firm said.

Third-party vendors and supply chain insecurity have been at the center of many a hack—but some say the risk will only grow as the internet of things (IoT) continues to proliferate. In many of these cases, a network controlled device maintained by a third party is not properly patched, audited or controlled.

“Vending machines have been vulnerable to hacking and thefts since the day they were brought to market,” said Michael Patterson, CEO of Plixer, via email. “However, with IoT technology, the stakes are much higher now. The villains behind these infections aren’t interested in stealing the refreshments inside the machine rather, they have their eyes on a much bigger prize: Personally identifiable information (PII), including one-of-a-kind fingerprints that can be resold on the dark web. This is an example of why organizations must begin to follow a least privilege model when deploying IoT devices. IP addresses should be defined, along with Layer 4 protocols and application traffic profiles that IoT devices use to perform their defined task. With this knowledge, network traffic analytics technologies can be leveraged to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy. Even a single packet of traffic that falls outside the least privilege model should be reported, investigated, and remediated immediately.”

What’s hot on Infosecurity Magazine?