Visa’s Payment Fraud Disruption (PFD) team recently determined that seven point-of-sale breaches reported since March 2018 in North America were linked to the exact same malware file hash, now known as the “PwnPOS” File.
PwnPOS is a point-of-sale (POS) malware file that was first identified back in 2015, but there are indications it may have been active as early as 2013.
From 2016 to 2017, there were only a few reported instances of PwnPOS infections, but that number increased significantly in 2018. Visa’s PFD team discovered that each of the malware files recovered from the 2018 breaches were the same across all instances, which means the PwnPOS malware family is easily identifiable.
How it Works
There are three main attributes of the PwnPOS malware:
1) A component that adds or removes itself from a list of system services
2) This component enables the malware to avoid detection and persist on a targeted machine
3) The malware installs a RAM scraper that monitors for keyboard inputs containing a string of numbers
Once those keyboard inputs are scraped, the malware checks the string of numbers against the Luhn algorithm (a formula used to validate identification numbers) to determine if it is a credit card number. If the numbers pass the check, the malware extracts the compromised data.
To identify the presence of the PwnPOS malware, Payscout recommends scanning your networks for the following indicators of compromise:
The indicators above correspond to the RAM scraper component of the PwnPOS malware. The seven cases Visa’s PFD team identified in 2018 had additional PwnPOS file attributes, but the RAM scraper component was consistently present in all instances, making it the most reliable indicator of compromise available.
Visa recommends the following best practices to reduce the risk of exposure:
- Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, and disable remote access when not in use.
- Enable EMV on all point-of-sale devices.
- Provide each Admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
- Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.
- Monitor network traffic for suspicious connections, and log system and network events.
- Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.
- Maintain a patch management program and update all software and hardware firmware to most current release to limit the attack surface for zero-day vulnerabilities.