Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Q&A: A New Point-of-Sale Malware Family Named Punkey

In conjunction with a U.S. Secret Service investigation, Trustwave SpiderLabs researchers have unearthed a new family of point-of-sale (POS) malware.

POS malware is a sinister and often difficult-to-detect threat that preys on retailers running Windows-based payment terminals. This menace has been around for many years, but has now become the preferred fraud method by which cybercriminals fleece retailers of huge amounts of payment card data. The newly discovered POS malware family is called Punkey - a name inspired by a combination of the code's functionality and the 1980s sitcom "Punky Brewster".

We asked Trustwave Threat Intelligence Manager Karl Sigler to help us better understand the malware's capabilities and steps organizations can take to detect and prevent it and similar threats.

 

Q:  What is Punkey and how does it make it onto POS systems in the first place?

A: Punkey is a family of POS malware that infects point-of-sale systems to steal payment card information. Typically Punkey would be installed by exploiting easy-to-crack passwords used for remote access software on the POS systems or through cashiers using the POS system to browse malicious websites or open phishing emails.

 

Q: Once the malware has infected a POS system, like a credit card reader or cash register, what does it do? How does it steal card numbers?

A: Once installed, Punkey hides itself as a part of Explorer, one of Windows primary processes. Like a lot of POS malware, Punkey uses memory scraping to grab credit card data and keylogging to capture anything typed into the infected system. The stolen data is then sent back to a command-and-control (C&C) server to be collected by the criminals.

 

Q: How difficult is it to detect/remove Punkey?

A: Punkey is not hard to remove once you know what to look for. Now that we've been able to analyze the malware and make our findings public, organizations should be able to use standard anti-malware solutions to detect and remove Punkey. Our research team has also published specific indicators, such as the files used by the malware as well as network traffic samples that security teams can use to discover and eradicate Punkey from their systems.

 

Q: How widespread is Punkey?

Not horribly widespread yet. It's pretty targeted. The C&C instance we investigated had 75 instances of Punkey reporting to it, so that means around 75 infected POS systems most likely. 

 

Q: In terms of its functionality, how does it compare to previously discovered POS malware?

A: Punkey is a bit more advanced than most of your typical POS malware. Most POS malware doesn't bother to hide itself using similar injection and encryption techniques. Punkey also maintains regular communication with a C&C server, not just to upload stolen payment card data, but also to download updated versions of itself and any additional malware the criminals behind it may decide to use.

 

Q: Why has POS malware seemingly become such a big threat over the past 12 to 18 months, and is there any slowing it down?

A: Criminals follow the money, and infecting a POS terminal that might swipe thousands of payment cards is a very lucrative avenue for them. Hopefully protections being put in place like chip-and-PIN- based cards and point-to-point encryption will force criminals to look elsewhere.

 

Q: What can organizations, like retailers, do to protect themselves from this threat and others like it?

A: Organizations - or their security partner, such as a managed security services provider - should run updated anti-virus and intrusion detection system solutions, as well as monitor their networks for anomalous traffic. Organizations should also educate their employees to follow best security practices, such as only using POS systems for what they are intended for and not to browse the web, check email, play video games, etc. For POS systems that use remote access control technology, organizations should ensure that the software is kept up to date and can be accessed only by strong passwords or two-factor authentication.

 

Q: And finally, why is it called "Punkey"?

A: The malware uses a variable called 'unkey' to send the data to the C&C server, and the data is sent using an 'HTTP POST' command. So Punkey is a portmanteau of 'POST' and 'UNKEY': P(ost)unkey, or Punkey. And that's a name that might ring a bell.

For more information about combating point-of-sale attacks, check out this blog or download this white paper from SpiderLabs. In addition, if you'll be at the RSA Conference 2015 in San Francisco, Trustwave Vice President of Managed Security Testing Charles Henderson is scheduled to present on the topic of POS malware.

Latest Trustwave Blogs

Using Trustwave DbProtect and Offensive Security Solutions to Protect Against Nation-State Cyber Threats

The US Director of National Intelligence (DNI) earlier this month gave a stark warning to the Senate Armed Services Committee detailing the cyberthreats arrayed against the US and the world from...

Read More

Defending the Energy Sector Against Cyber Threats: Insights from Trustwave SpiderLabs

It has always been clear, even before the Colonial Pipeline attack, that the energy sector is a prime target for not only criminal threat groups, but also nation-state actors. After all, halting fuel...

Read More

Trustwave SpiderLabs Unveils the 2024 Public Sector Threat Landscape Report

Trustwave SpiderLabs’ latest report, the 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies details the security issues facing public sector...

Read More