How Retailers Can Fend Off FlokiBot Malware
The holiday shopping season is upon us, and with increased retail activity there is a corresponding increase in security threats. While many are concerned with online shopping, in-store retail sales are just as susceptible to hackers looking to take advantage of holiday shoppers.
Many retailers consider point of sale (POS) devices ‘dumb’ terminals and neglect to secure them properly. This leaves them vulnerable to a number of attacks including credit card-swiping malware.
We have recently analyzed a potentially damaging new piece of POS malware called FlokiBot. The malware itself is a variant of the Zeus banking Trojan family and could be used in attacks on retail, accommodation and food services companies.
Zeus-based malware has been around since 2009, with numerous versions and variants in that time span. It is a tried and true malware platform that threat actors continue to use and come back to when they want to create a new banking malware.
To date PoS malware has been used in a total of 534 incidents, 525 of which featured a confirmed data disclosure (according to 2016 Verizon Data Breach Investigations Report). This demonstrates that attackers continue to innovate as the targets remain attractive.
FlokiBot has a number of capabilities uncommon to typical Zeus variants, including:
- POS memory scraping
Many other malware families have POS capabilities, but this is not something the research team has seen before in a Zeus variant. This type of data occurs when a store scans a customer’s credit card. The data on the magnetic strip is saved on the POS register’s memory. The POS malware (FlokiBot in this instance) will scan the computer memory looking for a pattern of data that matches the format of the credit card data. If it finds a potential match, it sends the data to the threat actor who can then either use the data to create their own fake credit cards or sell the data on underground forums.
- Distributed Denial of Service attacks
This is an uncommon feature for a Zeus-based malware variant. Once this piece of malware has gained access to a network, it can use connected devices such as POS terminals to launch a DDoS attack. Just one day of network unavailability during the holiday shopping season can cost a retailer millions of dollars in sales. This attack type may also be used to distract the security team, while conducting other malicious activity such as stealing valuable data.
- TOR configuration
FlokiBot can been configured with TOR-based command and control URLs—.onion sites. When the malware needs to communicate to its command-and-control server and sees that it is a .onion host, it’ll route the traffic through TOR. If TOR isn’t installed on the victim, it’ll download, install and configure it. This helps to keep the botmaster’s command-and-control server hidden and prevent it from being blacklisted by security companies.
Actions for retail security teams
Organizations of all sizes are strongly encouraged to consider a security review of any POS deployment infrastructure. This is to detect existing compromises as well as to strengthen defenses against an adversary that continues to proliferate and expand attack capabilities. Compliance with PCI-DSS standards is a good starting point. There are also a few other areas retailers should consider:
In 2016, 97 percent of breaches featuring stolen credentials leveraged legitimate partner access. Organizations must ensure that any remote access connectivity is carefully audited and restricted in order to reduce network attack surface.
- Dedicated Machines
The underlying machine running the POS software should be dedicated to the task, and should be hardened prior to deployment to restrict open ports and lock down application use to those applications that are absolutely required for core functionality.
- Separated from the Internet
POS systems themselves should be partitioned from the rest of the network, with only enough inbound and outbound connectivity allowed to facilitate core functionality. POS machines or back-end infrastructure should never be accessible by a wireless network that has not been audited and built with full security controls in place in accordance with PCI-DSS as a minimum.
After significant testing, anti-malware applications should be run on the POS machines in an aggressive mode to detect potentially unknown malware. If the POS machine is Windows based, the Enhanced Mitigation Experience Toolkit (EMET) should be deployed when possible and carefully tuned to include all aspects of the operating system and any third party software.
- Traffic is Truth
Advanced attackers will pivot from one compromise point to gather other points of compromise. This lateral movement will leave traces of network activity that can be detected by the vigilant organization.
- Detecting malware activity over TOR
Organizations are encouraged to detect the unexpected presence of TOR. Security teams must consider a robust detection of TOR at the network level, due to its inclusion within the POS binary. If TOR traffic is seen on the network, it must be investigated – especially if coming from the POS environment.
- Exfiltration must be detected
If a network is not properly configured to only allow traffic where truly necessary, the number of systems that can become a staging ground for data exfiltration increases. This gives threat actors, more options and places to hide their traffic in an attempt to extend the depth and longevity of their campaigns.
While FlokiBot has capabilities rarely before seen in a Zeus-based variant, organizations that maintain a proactive threat hunting posture and deploy robust network monitoring of traffic to and from POS machines should be able to respond and mitigate threats quickly and effectively.
This holiday season, security teams should be on high alert and properly staffed, as the volume of sales transactions processed are highly attractive to threat actors, and the increased network traffic may make suspicious activity harder to identify.
Dennis Schwartz is a research analyst with Arbor Networks.