Researchers from security firm Trustwave have identified a new breed of point-of-sale (POS) malware as part of an investigation led by the US Secret Service.
Overall, the Trustwave team discovered the IP addresses of more than 75 infected cash registers, as well as a pile of stolen payment card data.
It’s unclear at this time just how many victims have fallen prey to the new strain of malware that has been dubbed Punkey.
Discovered during analysis of multiple command and control servers, Punkey has similarities with another family of POS malware known as NewPosThings – recently discovered by researchers at Arbor Networks and Trend Micro – yet enough differences to be classified as a new strain.
Since the initial investigation, Trustwave has observed three different versions of Punkey, suggesting that it is either being tailored for use against specific retail targets, or being controlled by multiple hacking groups.
Punkey hides itself within the explorer.exe process on Windows POS systems until activated, at which point it then scans the register’s memory for card holder data.
When payment card data has been discovered, it is forwarded to a command and control server from which the attackers can retrieve it.
Once in place, Punkey can also potentially gift access to other parts of a company’s systems via its use of a keylogger (DLLx64.dll).
The malware allows keystrokes to be captured and sent back to command and control servers, 200 keystrokes at a time. If usernames and passwords for other areas of the company’s network are thus obtained, gaining access to more than the POS system could be a breeze for attackers.
Trustwave believes Punkey, which comes in both 32-bit and 64-bit flavours, finds its way onto systems via the usual tried and tested means – poor password security applied to remote access software used to access POS systems, or via human error, e.g. cashiers using tills for other purposes, such as opening malicious emails or surfing across dangerous websites.
Writing for Trustwave’s SpiderLabs blog, Eric Merritt explained how Punkey can search for and then pilfer personal details, as well as the “rare” ability to update itself and adapt remotely:
“This gives Punkey the ability to run additional tools on the system such as executing reconnaissance tools or performing privilege escalation. This is a rare feature for PoS malware.”
Fortunately for retailers, Trustwave has developed a tool which can decrypt Punkey traffic. Located on software repository Github, the tool could help concerned businesses determine whether they have Punkey traffic running over their networks.
Retailers do of course need to be increasingly aware of the threat posed by POS RAM scraping attacks.
Beyond the now very well-known case of Target, which was breached via its cash registers, the issue continues to present headaches to the industry.
Just last week, Verizon’s annual Data Breach Investigations Report highlighted how infiltration of POS systems represented a significant threat, featuring in the top three causes for confirmed data breaches during 2014.
With three strains of Punkey in existence already, plus NewPosThings and the also recently discovered Poseidon strain of POS malware, it seems 2015 may prove to be a worse year for retailers than the preceding one.