“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.
One basic tool that banks use to learn the source of card data theft involves determining a “common point-of-purchase” (CPP) among a given set of customer cards that experience fraud. When a new batch of cards goes on sale at an online crime shop, banks will often purchase a very small number of their stolen cards to determine if the victim customers all shopped at the same merchant across a specific time period.
This same CPP analysis was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years, and it is a method heavily relied upon by law enforcement agencies to identify breach victims.
But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale.
Increasingly, however, fraudsters selling stolen cards don’t need to make sausage: The victims that are leaking card data are already subsets of restaurant franchises or retail establishments whose only commonality is the branded point-of-sale device which they rely upon to process customer card transactions.
Card breaches involving POS devices sold by the same vendor are notoriously hard for financial institutions to diagnose because the banks very often have a direct relationship with neither the POS vendor nor the breached restaurant or bar whose customers’ cards were stolen.
What’s more, POS-specific breaches frequently tie back to a subset of customers of a POS vendor who in turn rely on local IT company to install and support the POS systems. The commonality among breached restaurants and bars tends to be those who have relied on a support firm that invariably enables remote access to the POS systems via tools like pcAnywhere or LogMeIn using the same or easily-guessed username and password across many customer systems. Once remotely authenticated to the targeted systems, thieves can upload malware like POSeidon, which is capable of capturing all card data processed by the victim POS.
A few weeks ago, this reporter broke the news that multiple systems run by POS vendor NEXTEP had experienced a breach. The banks were only able to pinpoint NEXTEP systems as the source because the overwhelming number of merchants impacted in that breached happened to be NEXTEP customers who also were part of the Zoup chain of soup restaurants.
“You may have seen the discussions of the ‘PoSeidon’ malware that specifically targeted point of sale systems,” NEXTEP CEO Tommy Woycik said in a follow-up email. “Within thirty-six hours of the point that we learned of the problem we were able to internally use our resources to block further data compromise with most of our customers. We retained and worked with two different sets of consultants to fix all remaining problems and to evaluate, on an ongoing basis, the effectiveness of the fixes.”
Woycik said the company also is investigating why the vast majority of its customers had no compromise of information, but that the hack was limited to a few identified locations. Part of the problem was that some of the breached locations relied on point-of-sale management firms that refused to cooperate in the investigation.
“We have been somewhat hampered in our investigation because some parties involved in the locations that we believe may have been affected have been unwilling to provide us with critical data,” he said.
More recently, KrebsOnSecurity has heard from multiple banks about suspicions that systems sold and maintained by another POS vendor – Naples, Fla.- based Bevo POS — was likely the source of fraud for more than a dozen restaurants and bars in and around Florida.
“Was Bevo POS ever breached? No, however, Windows was. Bevo POS is Point of Sale application (not cloud based) that is both PCI compliant and encrypts all credit card data,” he explained. “The malware identified, PoSeidon, which pushes itself with DLL injection and backdoor Trojans, is a keylogger with memory scraping that breached Windows, and as I’m sure you are aware, Microsoft’s security essentials anti-virus and windows updates do not recognize or stop many of the newer more unique threats. The same day we were alerted to a possible compromise, our engineers found an executable that had been recently installed in Windows at that location, called ‘Winhost.exe.’”
According to Haytac, the company learned of the incidents on March 15. He said the breach occurred with memory scraping as the data passed through while Windows was sending the data to the Bevo application, basically capitalizing on a ‘millisecond gap’ between the systems.
“A mere 0.26% of customers (13 out of 6,500) were effected and we not only identified the malware within 24 hours (5 days before it was publicly reported by the security experts), we had created a PoSeidon killer tool, and swept every customers machine within a week. Actual Windows breaches of our customers only occurred over a two day period.”
Haytac said the most frustrating aspect of the ordeal so far is that all of its customers have some form of Windows anti-virus software and that none of these applications were able to recognize the malware.
“So to prevent future possibilities of this ‘gap’ in the system being tapped again by relentless hackers, we have made an agreement with Comodo to create a new-age containment software that includes anti-virus,” he said. “We are pushing this to all our customers, closing the gap between these breach techniques and Windows OS. We are due to ship this weekend as we are in final stages of testing. Windows is obviously not our product to protect, however our customers are, so we are doing it regardless and without cost to them.”
For several months following revelations that fraudsters had stolen 56 million cards from customers of Home Depot, the card shop principally responsible for selling those cards — Rescator[dot]cm (the same hackers thought to be responsible for the Target intrusion) — inexplicably stopped selling new cards stolen from main-street merchants and retailers.
This hiatus continued for an unprecedented six months until March 10, 2015, when Rescator and his merry band of thieves advertised the “American Dream” batch of credit cards. Days later, the Rescator shop pushed out millions of cards in rapid-fire batches variously named “Breakthrough,” “American Dream,” “Imperium Romanum” and “Spring Awakening.”
Multiple financial institutions contacted by this author purchased handfuls of their cards from these batches, but were unable to find a single common point-of-purchase among any of them. However, each bank said they saw within each batch a strong preponderance of small restaurants and bars that they’d been watching for months as a suspected source of stolen cards. The banks reported to KrebsOnSecurity that the bulk of these establishments are centered around cities in Colorado, Texas, Florida and the Washington, D.C. metropolitan area — including Virginia and Maryland.
The above-mentioned trend away from selling cards stolen from major retail chains toward attacking smaller bars and restaurants is hardly unique to the Rescator shop. Earlier this year, several security experts pointed out that a relative newcomer to the fraud scene — a card shop that markets its wares by capitalizing on the name and likeness of this author (briansdump[dot]ru) — also was pushing fairly large batches of stolen cards onto its shelves.
KrebsOnSecurity worked with three different banks who each acquired multiple customer cards from all of the batches of cards that showed up for sale on Briansdump. Eerily enough, all of the merchants identified were from small restaurants and bars in and around the Washington, D.C. area, the hometown of Yours Truly.
Security vendors have long recommended “end-to-end” or “point-to-point” encryption products and services to sidestep threats like PoSeidon. The idea being that if the card data never traverses the local network or point-of-sale device in an unencrypted format, any card-stealing malware that makes its way to the point-of-sale systems will have nothing to steal but worthless gibberish.
The problem is that many merchants — particularly smaller ones — don’t seem particularly interested in or incentivized to invest in these technologies, which tend to require more up-front costs and on-going maintenance fees to security vendors, said Rich Stuppy, chief operating officer at Kount, a payments security firm based in Boise, Idaho.
“It’s a fundamental redrawing of how the bits are transmitted, and that also tends to redraw a lot of power into another end of the network, either to a card brand or to a point of sale company, and it dramatically changes who’s got the power in this situation,” Stuppy said.
As for why more smaller merchants don’t turn to solutions like point-to-point and end-to-end encryption, Stuppy said it’s a numbers game that favors the attackers.
“I think the bigger [merchants] could maybe put up the fence around this such that it gets harder and harder, but the little guys aren’t going to do that. With these widely distributed point-of-sale systems, the bad guys are looking to just plug in the malware once, and it doesn’t matter if you have to get the big guys once to get 50 million cards, or you have to get 1,000 cards from 50,000 compromised merchants.”
For a deep dive into PoSeidon malware, check out this Mar. 25, 2015 blog post from researchers at Cisco.