05
Threat Defiance Report

THREAT INTELLIGENCE: TAILORED POINT-OF-SALE ATTACKS AGAINST THE RETAIL & HOSPITALITY INDUSTRIES

MADE TO ORDER: TAILORED POINT-OF-SALE ATTACKS IN RETAIL INDUSTRIES

Since the 2013 Target breach that resulted in 40 million compromised cards, adversaries have adapted point-of-sale (PoS) attacks by finding more creative avenues of attack to overcome security protocols. Notable PoS attacks in 2016 included Cici’s Pizza, Wendy’s, Chipotle, Ruby Tuesday, and Baja Fresh. This suggests a trend toward targeting fast food restaurants—possibly because many restaurants have yet to enforce the use of the more secure EMV chip technology due to its slow processing time. There are many different approaches employed by cybercriminals targeting PoS systems for financial gain. They often fall into two categories: network exploits preying on the Internet-connected infrastructure operating several PoS terminals, possibly across several stores, and individual terminal targeting, which are “easier targets” that are publicly accessible for physical installation of an exploit. We assess there will be a move to tailored exploits to bypass known security protocols.

root9B came to this conclusion after reviewing current PoS breaches and our latest published analysis into malware targeting several PoS systems. Initial examination of a single PoS system revealed malicious software designed to spy on the company’s payment card processing functions. The broader investigation exposed a highly-advanced adversary achieving a total security compromise of the client’s corporate network. Spread through a single, targeted malicious email sent to a company employee, a simple but effective tactic, the attacker demonstrated skillfulness by using fileless malware to remain undetected for over 150 days. This provided time to exploit the company’s PoS systems.

Whether it is infiltration via a third-party vendor, as in the Target breach, or careful study of a victim’s security practices, cybercriminals have demonstrated tenacity in adapting their exploits and techniques. Security of PoS systems needs to go beyond reacting to the latest breach and updating firewall signatures to move toward active pursuit of the adversary. Active pursuit ultimately protects against the negative effects of breaches, such as tarnished brand reputation and degraded consumer and investor confidence.