Mitigating the ModPOS threat to retailers


The ModPOS threat has been described both as “the most sophisticated point-of-sale malware we have seen” and “a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence” by iSIGHT, which has reversed engineered the malware and published an in-depth report with threat indicators on the subject.

iSIGHT Partners first spotted elements of the ModPOS framework way back in 2012, although it wasn’t until 2013 that it logged activity in the wild properly. Throughout 2014, however, the attackers ramped things up with active targeting of US retailers and iSIGHT warns of a ‘high likliehood’ of ongoing ModPOS campaigns. “We believe this very hard to detect malware is likely being used in broader campaigns” says Stephen Ward from iSIGHT who continues “and are disclosing details to help retailers and other organizations with POS and other payment processing systems hunt for and eradicate the malware.”

Here at IT Security Thing we recommend that you take the time to download and digest the iSIGHT report forthwith. In the meantime, here’s what the IT security industry suggests you should be doing to mitigate against the ModPOS threat and other POS malware as we run up to the seasonal sales peak following the Black Friday weekend.

Mark Bower, Global Director of Product Management, Enterprise Data Security for HPE Security says that “Point of sale systems are often the weak link in the chain and the choice of malware. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Encrypting payment card data before it hits the POS is what matters so that the data will be useless to any attacker

“Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If its GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.”

Deploying contemporary format-preserving encryption based devices, which protect data without having to make major changes to POS data flows and applications, what the PCI Council refers to as point to point encryption (P2PE) or we might call end-to-end encryption in other words. Encrypting payment card data before it hits the POS, be that within the card reader itself or an attached ‘wedge’ it matters not, is what matters so that the data will be useless to any attacker should they manage to breach the POS system.

“Secure card readers are very, very difficult to attack and do not store live data to steal” Bower confirms, adding, “they encrypt it and pass it up the payment process to the POS. If tampered with they are designed to destroy their contents.”

Tim Erlin, Director of Security and Product Management at Tripwire, isn’t surprised by the fact that increasingly sophisticated point-of-sale malware is emerging, given the profitable revenue stream on offer. “In order to effectively combat the threat of malware on point-of-sale devices,” Erlin insists, “security teams need to include tools that identify suspicious behaviours in addition to directly discovering the malware. No matter how sophisticated the malware is, it has to perform a basic set of tasks that are distinct from the standard operations of the point-of-sale devices. Detecting suspicious activities may not definitively identify the malware, but it will prompt a deeper investigation.”

Meanwhile Kevin Epstein, VP Advanced Security and Governance at Proofpoint, isn’t necessarily convinced by the claims that ModPOS is as sophisticated as claimed and points to inconsistencies in the coding to back up his doubts.

“The malware is somewhat inconsistent in its level of sophistication or lack thereof,” he says, continuing, “complex, compiled kernel modules for internal actions like keylogging and memory scraping using one-time encryption keys are paired with plain-vanilla http and few hardcoded IP addresses for command and control rather than more modern P2P C&C, such as is used by much MITM malware.”

Epstein describes this approach as being comparable to building a supposedly secure electronic safe that visibly plugs into a wall socket. That said, he does concur that the malware will almost certainly be used to attack retailers worldwide as the coding investment it represents to the attackers appears quite substantial.

“Getting maximum value dictates they use it to maximum advantage,” Epstein warns, adding that in mitigation “while end-to-end encrypted EMV (chip and pin) terminals would likely resist this malware, making the UK statistically slightly less vulnerable, there are a sufficient number of vulnerable systems to support hundreds of millions of pounds in stolen card credit lines. Retailers would be well advised to deploy both threat response systems, to detect attempted exfiltration of data, as well as modern targeted attack prevention systems, to defend against initial malware download.”

Craig Young, a security researcher at Tripwire, also points out that “although it is apparent that the authors invested a lot of resources into developing this attack toolkit it still seems to me as if they are preying upon victims with poor security posture. Now that the command and control techniques and other indicators of compromise have been publicly revealed, the specific malware analyzed by iSight Partners can be trivially detected within a network.”

This means that the attackers are likely to change certain operational details in order to attempt ongoing detection avoidance. That doesn’t equate to a high likelihood that ModPOS will completely change attack methodology though, and most security professionals think the opposite.

The ModPOS threat is the poster child for cyber-crime for profit

“Using network layer protections to filter unexpected HTTP requests or HTTP requests with unexpected payloads is a good starting point for retailers to identify this and other malware attempting to fetch instructions or exfiltrate data,” Young advises, concluding “in my opinion, however, the best defence against such malware is tight monitoring of file systems throughout the network, but especially on devices handling payment card data. While it may be difficult to block off all potential sources of infection, the use of file-integrity monitoring (FIM) makes it incredibly difficult for the attacker to go unnoticed.”

Jonathan Sander, VP of Product Strategy at Lieberman Software, is another not altogether convinced by the ‘advanced and sophisticated’ descriptions of ModPOS, thinking of it as ‘comprehensive and elegant’ instead.

“Much malware is like a one trick pony,” Sander says, “it does one thing well but falls down many other places. That makes it relatively easy for experts to detect and reverse engineer.” ModPOS has survived so long in the wild as it dedicates so much energy to avoiding detection, plus the modular design enables it to adapt where necessary.

“That thorough self-protection and many faceted functionality make it very complete,” Sander continues, “but it’s the way it does this which makes it elegant. ModPOS is compact and uses well-constructed code to accomplish its goals. It’s the model for the new age of professional bad guys who aren’t interested in defacing websites rather simply making money. The ModPOS threat is the poster child for cyber-crime for profit.”