Enhanced Malware Targets RetailersStored Card Data on Networks, POS Systems Primary Target
More hackers are attacking payment processors and merchants with enhanced malware to compromise credit and debit card data. And fraudsters apparently are more quickly selling compromised card numbers in underground forums, some security experts say.
Organizations can help mitigate their card-exposure risks by focusing on intrusion monitoring and anomaly detection, rather than just relying solely on anti-virus systems to detect malware, the experts advise. Of course, if card information is not stored, then it can't be exposed, they add.
In late February, multiple banking institutions in the Caribbean were put on alert after an unnamed international card-processing facility in Barbados was reportedly hacked, exposing thousands of card numbers. And in Denmark, cybersecurity experts have warned that new strains of malware specifically designed to steal payment card data have been discovered on 80,000 personal and corporate computers over the last year. The attacks have defeated most anti-virus programs, computer experts in Denmark say.
Toralv Dirro, a security strategist for McAfee Labs, the anti-virus specialist's threat-detection research team, says many of the latest malware attacks, regardless of the targets, are successfully getting around anti-virus systems.
"For someone doing a targeted attack, AV is not too much of an obstacle," Dirro says. "The fraudster has all the information he needs to run tests against an AV program and ensure he can defeat it. Today you can buy, in the underground market, tests for banking Trojans to ensure they're not detected by AV."
Cards Compromised Sooner
The uptick in attacks aimed at compromising card data and personally identifiable information is not limited to the U.S., and neither is the subsequent fraud, says Al Pascual, a financial fraud expert and analyst at Javelin Strategy & Research.
"After EMV [the Europay, MasterCard, Visa chip payment] standard, there was a substantial drop in fraud at the point-of-sale" in the U.K., Pascual says. "But CNP [card-not-present] fraud, especially online, spiked."
Fraudsters are using card numbers for purchases with online merchants because EMV chips aren't authenticated during the transaction, he says.
Credit and debit cards numbers can be marketed in underground forums and have proven themselves easy-sells to so-called "carders" interested in perpetrating card-not-present fraud, says Mike Smith, a security evangelist for online security firm Akamai Technologies. So, even in nations where chip cards - which can't be skimmed - are standard, card fraud is growing.
Smith says carders are specializing in malware that steals card numbers, and CVV2 data - which typically includes names and addresses of the cardholders.
They're often accessing data through attacks waged against outdated content management systems, he adds. Once inside the network, the attackers have all they need.
When hackers compromise one online merchant and gather account login credentials for a specific cardholder, they can often use the same login credentials to access accounts with other online merchants, Smith says. "The toolkit [malware] checks through a proxy to see if that user's account credentials work on other sites," he adds.
From there, the hackers can sell in underground forums the card numbers, along with account login credentials and lists of accessible e-commerce merchant accounts, ensuring their buyers are quickly able to perpetrate fraud - often before a breach or compromise is even detected, Smith says.
Retailers: Prime Targets?
More attacks have been identified as specifically targeting retailers and payments processors, Dirro acknowledges.
And while network attacks do yield more data, many fraudsters focused on compromising payment cards remain more interested in attacking point-of-sale devices rather than networks, he says.
Dexter, a 2012 Trojan that infected hundreds of POS systems, mainly in the U.S. and United Kingdom, is a prime example, Dirro says. "This was a very specialized Trojan that looked for card data while in the memory of the point-of-sale machine," he says.
In December, online security firm Securelet noted Dexter was targeting retailers, hotels and restaurants. Dexter exploited remote-access controls to infiltrate POS systems and capture screenshots of POS displays, Securelet reported. Once a terminal was infected, the malware stole transactional processing lists and parsed the memory for Track 1 and Track 2 data stored on payment cards' magnetic stripes.
Malware Detection Not Enough
The only way to ensure an organization is protected against the latest threats is by enhancing network monitoring for unusual activity and then using technology to correlate that activity across the network, Dirro says.
"The biggest worry, when it comes to network compromises, is not just the card data, but the user's PII," he says. "When a network is breached, it usually affects a large number of users, and there is usually more info stored there than should be."
Many companies - especially those in the retail and hospitality sectors - continue to store sensitive cardholder data, despite the Payment Card Industry Data Security Standard's requirement that no such data be stored, says Jerome Segura, a senior researcher at malware-detection provider Malwarebytes.
"Based on how the information is stored, the malware is likely to look for those [databases], dump their content and then ex-filtrate that data," Segura says. "Obviously, a big factor in the success of such an operation is whether or not the data was well protected and salted."
In far too many cases, attackers are able to break into a network and access PII and card data in the clear, he adds. "It is one of the reasons why the bad guys succeed so often."