An advanced strain of malware is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.
Researchers from Chicago-based security vendor Trustwave discovered the new strain, calling it “Punkey,” while handling a recent investigation with the U.S. Secret Service. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.
Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.
“If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server,” said Karl Sigler, manager of Trustwave’s SpiderLabs research center. Essentially, Punkey operates like a typical Botnet.
The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.
The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.
A year ago, security vendors warned retailers against using Windows XP at the point of sale, sinceMicrosoft stopped supporting Windows XP with security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk, Sigler said.
“Punkey just runs like any Windows binary would,” Sigler said. “Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.”
Many retailers use remote desktop support software, which fraudsters take advantage of, Sigler said. “They steal a password and install malware like a technician would install any software,” he said.
While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices, Sigler said.
Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary, Sigler said. “If your POS terminals looks like it is browsing the Web for somewhere in Eastern Europe, that is not quite right and should tell you something is going on.”
Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks, Sigler said.
Earlier this month, Singapore Telecommunications Ltd agreed to acquire Trustwave in a move designed to better position the telco in cyber security.