Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

How to Design a Defense Against Point-of-Sale Malware Attacks

Despite increasingly tighter data protection standards, more advanced security technology and greater awareness to the threat, retail organizations remain highly coveted targets of malware attackers.

Consider the sheer number of credit and debit card numbers that many of these companies handle. Thus, it's no surprise that even when adversaries encounter resistance, they don't give up and fold up shop. Instead, they search for new and viable vectors through which to fleece companies of valuable cardholder data.

The latest trend in the widespread torment that is malware - and an alarming one at that - is highly targeted and difficult-to-detect malicious code that is designed to invade point-of-sale (POS) systems, the machines and registers on store checkout lines on which credit and debit cards are swiped. According to news agency Reuters, the FBI recently released a three-page report warning retail companies of a grave prediction: They should expect significantly more cases of POS malware in the aftermath of a recent spate of high-profile attacks.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI report, seen by Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors."


How does POS malware make it on to these systems and networks in the first place? Hackers have many tactics at their disposal to spread malware. But in the case of POS malware, adversaries typically exploit the fact that most retailers - Trustwave estimates around 80 percent - employ default credentials on remote administration utilities, such as Remote Desktop, LogMeIn and pcAnywhere, which are used to perform legitimate remote administrative functions on POS systems and software. Once these are compromised, the bad guys can breach POS systems and plant malware in a matter of seconds.

And don't expect traditional anti-virus (AV) to protect you. Windows XP Embedded (XPe) is among the most common POS operating systems, and while it is similar to the desktop version of Windows XP, it also lacks many features and may not be compatible with many commercial AV products. In addition, the XP platforms in use typically haven't been updated to address previously patched security

But arguably most troubling of all is that, in less than a month, Microsoft is slated to end XP support. That means the software giant no longer will supply security updates for the 13-year-old operating system, which could make POS systems even juicier targets than they are right now.

So how can you deal with POS malware? Here are six tips that may make POS attackers think twice about committing time and resources to infiltrate your organization.


Assume you've been breached

Admitting this is half the battle. Operating under the assumption you've been compromised allows companies to better prepare for the inevitable and react quicker.


Conduct a risk assessment

Identify which systems in your retail environment process and store sensitive data, and if that data is vulnerable to an attack.


Create complex passwords

Use complex passwords (at least seven characters, including at least one number, one capital letter and one special character) on remote administration utilities.


Review logs

Remote connection logs, firewall logs and Windows Security Event logs often highlight hacker transgression - allowing you to detect an incident before it's too late.


Pen test

Identify and remediate security weaknesses before the criminals spot them.


Run advanced anti-malware and DLP defenses

Consider technology like web security gateway and data loss prevention, which can be used to scan outgoing HTTP and HTTPS traffic that could identify when attackers are siphoning out cardholder data.



If malware is found on POS systems, stop using them, document the intrusion as best you can and notify appropriate parties, including your merchant bank and PCI forensic investigator, and the U.S. Secret Service.

Make no mistake, stopping POS malware attackers in their tracks is a fierce challenge. This blog post just scratches the surface.

I highly recommend perusing a just-released white paper from our SpiderLabs research team. It offers a blow-by-blow account of how these attacks look and operate, and then offers specific remedies for thwarting POS malware - or dealing with it if you've been hit.

Dan Kaplan is manager of online content at Trustwave.