Point Of Sale (POS) malware has been a concern for retailers for several years now, especially following the Target breach in late 2013. POS malware is evolving further with the emergence of the Pro POS tool, according to a new report from Cisco's Talos research team.
Pro POS is designed to be a professional tool for enabling an attacker to exploit point-of-sale systems.
Earl Carter, security research engineer at Cisco Talos, noted that Cisco worked with one of its intelligence partners to obtain the software from underground Dark Web forums. While Pro POS is having an impact on consumers and retail organizations, it's not clear how many organizations might be infected and already exploited by the tool.
"Cisco does not disclose specific customer data or information, but we can discuss the types of threats that certain industries have faced," Carter told eWEEK, adding, "We continue to see hackers target retailers, restaurants and hotels with POS malware."
As consumers travel and spend more money during the holiday season, Cisco anticipates an uptick in POS malware, Carter said. Other research groups, including Trustwave SpiderLabs, have also been reporting on the emergence of new forms of POS malware in recent weeks.
As is the case with most POS malware, Pro POS targets Microsoft's Windows Operating System. Pro POS works on standard versions of Windows XP and contains a rootkit specifically targeting Windows versions, from XP to Windows 7, Carter said.
"The memory scraping technique used by Pro POS continues to work in the newer versions of Windows, thanks to Microsoft's efforts to maintain backward compatibility. The increased security for drivers in newer versions of Windows would prevent the rootkit from being installed, and the user may be prompted with a UAC (user account control) popup when first executing Pro POS, but the malware can impact POS terminals on a wide array of Windows versions, Carter explained.
While Pro POS provides a slick graphical user interface, the core malware code is based on the Alina malware family. Alina is not open-source code though the code has been widely leaked in underground forums.
"The fact that the source code of Alina was leaked makes it incredibly easy to change strings or code segments that AV [antivirus] vendors have signature on," Carter said.
Carter added that there are other things that Pro POS does in order to avoid being detected by AV technologies, including modifying compiler options, which can also drastically affect the structure of malware, potentially breaking AV signatures. The Pro POS malware also uses a packer to obfuscate its contents, adding another layer of complexity.
"The shallowness of changes to the source code certainly improves the odds of detection with existing signatures, but it is difficult to predict which AV signatures of Alina characteristics were not altered between each of the variants," he said.
While Pro POS bills itself as a professional tool for POS exploitation, an attacker still needs to figure out how to get the malware onto a vulnerable system in the first place. Carter noted that compromising a system can be accomplished by exploiting a vulnerability, guessing the password or even tricking the user into running a file.
In the United States, retailers are now embracing EMV chip-and-PIN credit cards, which provide an additional layer of security. Carter explained that Pro POS targets magnetic stripe credit cards only; however, EMV cards still have magnetic stripes that store payment data.
"As long as retailers continue to accept swiping credit card versus using the EMV chips, threat actors will likely continue to target them with easily deployed malware like Pro POS," Carter added.