The first instances of this alarming new trend were discovered by McAfee sensor network in February and the Trojan-esque malware, named vSkimmer has already successfully infected at least two Windows based computers in US retail outlets, as well as the attached card payment systems.
vSkimmer can search the memory of most processes running on an infected computer, identifying specific patterns, in order to extract ‘Track 2′ (or magnetic stripe) data. Track 2 data can be used to clone the card – unless the payment card uses the EMV (chip and pin) standard.
“I don’t think this was isolated,” WatchGuard’s Director of Security Strategy, Corey Nachreiner tells AMEinfo. “I don’t think this is limited or a one off. This will continue.”
The piece of information all attackers are after is your credit card number and expiration date. They will either go after consumers, putting a Trojan into a system in order to capture information as you type it, or they will go after hard targets that store your data. This instance of attacking POS devices – capturing data from the magnetic stripe – is a much newer trend.
“It’s new no matter how you look at it, though this wasn’t the first ever instance. POS machines have existed forever and are typically very normal computers and even in smaller kiosks you’ll find a scanning device hooked up to a Windows PC. At places like grocery stores, it may not look exactly like a PC, but it ends up connecting to a monitor that could display Windows if you wanted it to,” says Nachreiner.
Even though POS devices have existed ‘forever’ (roughly since Microsoft’s 1992 platform ‘IT Retail’), it is only in the past three to four years that code has appeared specifically designed to infect scanning devices.
“If you search hard enough on the cybercriminal underground you’ll find forums where the bad guys have their own economy, buying and selling products and services. What’s shown up recently is pre-packaged skimmer software, such as vSkimmer,” Nachreiner explains.
While business and home users will undoubtedly be aware of the need for basic defences, such as firewalls and anti-malware packages, Nachreiner believes that many smaller retail outlets in Mena may not have adequate measures in place. Every time a significant breach occurs, the regulations for PCI DSS (Payment Card Information Data Security Standards) increase.
Payment systems operators will now need to find out what requirements may have been updated, in order to ensure safety and legal compliance. “Every time there’s a breach, the requirements on the PCI document grow and grow, but I’m sure we’ll see more POS devices get hijacked,” he added.