The Same Point-of-Sale Malware File has been Linked to Multiple Data Breaches in North America

Credit-card-and-POS-and-malware image for Visa PwnPOS post

Visa’s Payment Fraud Disruption (PFD) team recently determined that seven point-of-sale breaches reported since March 2018 in North America were linked to the exact same malware file hash, now known as the “PwnPOS” File.

PwnPOS is a point-of-sale (POS) malware file that was first identified back in 2015, but there are indications it may have been active as early as 2013.

From 2016 to 2017, there were only a few reported instances of PwnPOS infections, but that number increased significantly in 2018. Visa’s PFD team discovered that each of the malware files recovered from the 2018 breaches were the same across all instances, which means the PwnPOS malware family is easily identifiable.

How it Works

There are three main attributes of the PwnPOS malware:

1)  A component that adds or removes itself from a list of system services

2)  This component enables the malware to avoid detection and persist on a targeted machine

3)  The malware installs a RAM scraper that monitors for keyboard inputs containing a string of numbers

Once those keyboard inputs are scraped, the malware checks the string of numbers against the Luhn algorithm (a formula used to validate identification numbers) to determine if it is a credit card number. If the numbers pass the check, the malware extracts the compromised data.

Mitigation Measures

To identify the presence of the PwnPOS malware, Payscout recommends scanning your networks for the following indicators of compromise:

Visa PwnPOS Malware Alert - Indicators of Compromise

The indicators above correspond to the RAM scraper component of the PwnPOS malware. The seven cases Visa’s PFD team identified in 2018 had additional PwnPOS file attributes, but the RAM scraper component was consistently present in all instances, making it the most reliable indicator of compromise available.

Best Practices

Visa recommends the following best practices to reduce the risk of exposure:

  • Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, and disable remote access when not in use.
  • Enable EMV on all point-of-sale devices.
  • Provide each Admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
  • Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.
  • Monitor network traffic for suspicious connections, and log system and network events.
  • Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.
  • Maintain a patch management program and update all software and hardware firmware to most current release to limit the attack surface for zero-day vulnerabilities.

Streamline and Secure Your Business’s Payment Processing with Payscout’s Virtual Terminal

Online Shopping on laptop with credit card

From the complexity of healthcare payment processing to the relative simplicity of buying and selling a product, the modern marketplace is far more dynamic than it’s ever been. For the vast majority of human history, most basic transactional commerce involved a customer purchasing a product or service from a vendor. The point of sale (POS) was a static, physical exchange of currency for the product or service, usually at the business of the merchant or vendor. At the risk of stating the obvious, the internet has changed that dynamic for good. Trillions of dollars are now spent online and any reasonable business with a product that can be sold, advertised, or promoted on the internet, does so—or at least should.

Failing to do so risks, if not guarantees, that their business will suffer (or possibly fail). However, this profitable new paradigm is accompanied by perils and vulnerabilities. When an internet vendor doesn’t interact face-to-face with any of their clients, they are put in a position where they have to trust that a consumer is who they say they are and actually has the funds they’re accessing with their credit or debit card. Fortunately, there are solutions for mitigating or eliminating the risk of things such as consumer fraud, insufficient funds, stolen cards, or payment processing that isn’t fully secure. When dealing with digital, remote, and international payment processing, businesses can protect themselves and increase their efficiency (and in turn, profits) by leveraging Payscout’s virtual terminal.

Benefits and Services of the Virtual Terminal

There are two primary ways in which Payscout’s virtual terminal aids any company doing business online: guaranteeing the money that a consumer is spending is actually there, and then ensuring a secure transfer of those funds. Payscout has managed this by deploying the most secure, advanced technology to ensure that the customer has sufficient funds in their merchant bank to cover the price of the purchase on any major credit card. That allows merchants to accept or decline transactions as necessary, and that means fewer chargebacks. Those features are available at both physical POS terminals and online sales.

 Security Features

Every feature of modern commerce requires security. That reality informs every product and service Payscout offers, from accounts receivable collections software to innovations in data tokenization. The security solutions for the Virtual Terminal are based on Payscout’s development of proprietary ecommerce tools and developer APIs to protect all consumer data sent between a business’ website and the merchant service bank. Additional security features include Advanced Fraud protection technology, Visa 3D Secure, MasterCard Secure Code, and PCI compliance. All of that advanced, reliable safeguarding provides the security every business needs to thrive in the internet age.

Optimize your business’s profit potential and growth with the industry’s best payment processing solutions, at www.payscout.com