Basically BlackPOS attaches itself to the POS process using an Inter-Process Hook that scans the process memory, its memory chunks and fetches the Track 1 and Track 2 data (Sensitive Data of the Customer’s payment card). This is shipped off to an attacker at a remote location or a bunch of remote locations. The malware has been designed for the POS world and has specific information on memory injection. Specialists speculate that the malware could enter the system using an update process where it receives updates from centralized servers.
There is a high probability that your standard Anti-Virus software won’t catch it, and even if it does catch some variants, these pieces of malware are constantly re-engineered to appear completely different. Tough luck catching that!
In our experience, we find that retailers do not devote the time and attention required to secure their POS infrastructure, both servers and devices. These servers are (mostly) internal. IT and Security teams largely perceive the risk to be purely ‘internal’ and consequently, in the ‘low’ category. On more than one occasion we found that compromising these central servers to intercept communications and load malware is a relatively trivial task to an insider and a determined outsider.
The Point of Sale malware being sold online.
I still worry that this problem is a silent, but massive issue that everyone seems to be wantonly ignoring. I have two words for you. “Egress”, “Filtering”. Now the threat of someone/malware stealing card numbers from your network is only realized when data is taken *out* of your network. This is a fundamental requirement of any kind of cardholder data theft. However, I have not seen too many retailers take this issue seriously. Networks are still designed to keep bad stuff out (from the outside) rather than stop the assets (in this case, Cardholder Data) from going outside the network from the inside.
The solution to this problem is well known. But in all this talk of Advanced attacks, simple firewall management and network security seems to have been forgotten. Attackers can look at pulling out data using FTP, using encrypted file transfers, use SSH tunnels, HTTP tunnels and so on to get the information out. Your defense on the network depends on the following:
The PCI-DSS has become a bane and a crutch for the retail industry. Several people mistakenly perceive it to be “the only security standard ever needed”. They believe that if they are compliant and certified, against the PCI-DSS, their work in security is done and they are good to go. At the outset, the PCI-DSS as a compliance standard is very important for retailers and the entire payment card industry. It has introduced some very powerful and in several cases, extremely necessary controls to address security risks to cardholder data. For instance, security for POS devices, network security requirements addressed above are actually covered in great depth by the PCI-DSS.
However, the trouble lies in the way the standard is interpreted. For instance, lets say that I am a retailer who has a large infrastructure with integrated POS systems. The PCI-QSA (Qualified Security Assessor) assesses my environment and scope against the PCI standards, including my OS Security, Network Security controls and certifies me as compliant. Now, as a result of this certification, my perception of security and risk has changed. The compliance (PCI-DSS) has lulled the organization into thinking that its secure against myriad threats including BlackPOS and others. The organization starts looking at PCI as a goal, rather than an attestation of its security practices. No standard, and I repeat, No Standard can keep up to the most modern and updated threats.
PCI-DSS has been remarkably up-to-date given its complexity and operating industry, but can be no match for a constantly evolving threat landscape. If you equate compliance to security, then I am afraid that you are sitting in the wrong bus. You need to get off at the next station and look at a risk and security based approach. Do not confuse PCI-DSS for something it is not. Its a compliance standard. Its an attestation of your compliance to a given baseline at a given point in time. Nothing more, Nothing less.