Security Affairs’ Pierluigi Paganini reported yesterday that FighterPOS, an advanced form of malware designed to infiltrate point of service payment systems, has made the jump from its native Brazil to the United States. Security Researchers at TrendMicro have isolated new strings of code in known versions of the malware that have been written in English, instead of the original Portuguese that FighterPoS exhibited when it was first encountered in the wild.
FighterPOS – a closer look:
The latest iteration of this code appears to be more than a few patches written in by its latest handler. The notorious PoS malware that had owned entire systems in Brazil is now capable of jumping to interconnected payment networks.
The most interesting improvement for the new strain of the FighterPOS malware is the implementations of worm capabilities. The Floki Intruder variant is able to locate other PoS systems on the same network and infect them. The malware enumerates logical drives and drops copies of itself.
The fact that the malware can seek and infect PoS systems makes it difficult for security professionals to defend against. The earliest means of stealing data from PoS stations and ATMs was more physical. Brian Krebs has written extensively about physical card and pin skimmers that copy the data entered into ATM machines and PoS terminals, then send it back to the criminals who have installed them. This simple and crafty approach sounds like something out of a cartoon, and is as easy to defend against as it is to implement. On an enterprise level, defense against skimmers is not a challenge to implement. Large networks of ATMs are already maintained regularly, so it’s as simple as adding a skimmer check to the maintenance list, and possibly increasing the frequency of staff visits. Conversely, digitally implemented attacks that happen through networks require a more complicated playbook.
Malware like FighterPoS can enter any network through any number of access points. Ultimately, networks are operated by human beings and human beings are both capable of errors and susceptible to trickery. A well crafted phishing/spearphishing email to anyone on a company network is capable of delivering a payload of malware. Once the malware is in the system, it knows what to do and does it.
Two years ago, we were talking about Target department stores having suffered the largest PoS breach in recent history. It took about a year for the dust to settle, and for Target to reveal that the breach cost them $262 million, only 36% of which was covered by insurance. They also paid out $10M to settle a class action lawsuit from the owners of the breached cards. Bloomberg reported extensively in March of 2014 that behavior-based anti-malware systems in Target’s security infrastructure actually identified the attack as it occurred, but no action was taken at the time and the damage was done.
Since then, malware has had a chance to evolve, and PoS terminals have continued to be the targets. TechSpective has reported that hotels are seeing increasing attacks, which is to be expected. A hotel (especially a large one) maintains a network with a great deal of entry points for malware payloads (employee and management workstations) and egress points for stolen data. A poorly monitored network or one not running the right tools could potentially be and remain compromised by malicious, card-stealing code like FighterPoS indefinitely. Moreover, the potential of one’s card data being stolen by a hack is often cited as the reason cash has yet to disappear as a payment method, and still represents a large percentage of transactions. Hotels require that reservations be made with a credit card, and are therefore likely to attract more details than other businesses who may process transactions in cash.
No matter how many ways hackers re-write malware to look like something else, it must behave as it does in order to accomplish what it’s designed to do. That is why Finjan is certain that behavior-based anti-malware software will continue to represent an important component of the network security in the future. We will continue to license our founders’ patents to the software providers who give security administrators the tools to keep data safe.
Share this Post