POS Attacks Persist: Top 5 Defense Strategies to Protect Retail Networks


No one needs reminding that 2014 was one of the most profitable years for cyber-criminals. The timeline graphic below takes us back to memory lane of what happened to large retailers such as Target, Home Depots and others. Despite efforts to comply with the Payment Card Industry – Data Security Standards (PCI-DSS) and other security measures for protecting electronic transactions and consumer data, U.S.-based retailers were hit hard by data breaches last year. Stores continued to be soft targets not just because they were easy victims per se, but more profoundly, due to the availability of good and effective hacking tools and techniques used by the cyber-criminals to successfully attack and compromise payment card infrastructures.

Although the sound of alarming retail breach headlines has been relatively quiet so far in 2015, the bad news is that POS attacks resumed where they left off in 2014. The SonicWall Security Threat Research team has been busy developing countermeasures to defeat newer forms of POS malware that have been found actively spreading in the wild. This is a noticeable development that carried over from the previous year. Cyber-criminals are obviously investing more in the malware economy and research as well as development efforts to create smarter methods of attacks that do greater harm. This is indicative of the Threat Research team’s 2015 Annual Threat Report prediction that more sophisticated POS malware variants are expected and additional attacks will target payment infrastructures throughout 2015, especially smaller regional chains that are more susceptible to attacks.

Debit/credit card payment

SonicWall Security researchers have already developed counter-measures to block several POS bot families including:

  1. Punkey: this Trojan was discovered in April 2015 and has versions for both 32-bit and 64-bit Windows-based POS terminals. Punkey is particularly dangerous not only because it can record payment card data while it’s being processed but it’s also capable of installing a keylogger to capture what employees type on systems including the card verification value (CVV) during a transaction.
  2. NewPosThings.C: this Trojan was also uncovered in April of 2015. NewPosThings.C adds system files and keys to the Windows registry to ensure its permanency upon reboot. It also searches the registry for VNC passwords, scans system memory to gather credit card track data, checks if data is available for transfer to its command and control (C&C) server periodically and sends credit card information in Base64 format to avoid detection.
  3. PoSeidon and POS.UCC: these Trojans were detected in March and February of 2015 respectively. Both exhibit similar behaviors as described in the NewPosThings.C. Trojan.

If you are in retail and still nervous about whether or not you have the proper security measures in place to protect your retail network, SonicWall Security recommends the following five key defense strategies to secure your payment card infrastructure.

  1. Traditional POS applications run on terminals connected to a central computer. Often, the operating system (OS) of this central computer is not kept updated, which can make the POS system as a whole highly vulnerable. It’s important to keep the OS patched and all software updated continually.
  2. Restrict activity on terminals to only POS-related activities (no web browsing) such as permitting data from POS system to advance to another trusted server on a different secured network for payment processing while preventing it from going elsewhere. To do this, keep the POS system isolated from the rest of the network. Separate groups and zones and make sure POS systems can only communicate with valid IP addresses. Communication between these systems should also be controlled and sanctioned only by the firewall via Access Control List (ACLs) to keep attackers who have gained network access from penetrating further and preventing them from siphoning data off to their own servers.
  3. Install a capable next-generation firewall with integrated intrusion prevention system (IPS) and SSL decryption between network segments and in the B2B portal to inspect all network traffic including encrypted connections to protect the network from internal and external attacks.
  4. Adopt a security policy that trusts nothing (networks, resources, etc.) and no one (vendors, franchisees, internal personnel, etc.), and then add explicit exceptions.
  5. Make security training a significant part of employee onboarding and ongoing communications. SonicWall’s recent Global Technology Adoption Index (GTAI) showed that employee security training is lacking in all industries, including retail. An astounding 56% of companies admit that not all of their employees are aware of security rules.

Download this exclusive white paper for additional guidelines on how you can protect your retail network.

Ken Dang
SR. Product Marketing Manager | SonicWall
Ken has more than 14 years of technology product management and product marketing experience creating and directing product development, and launching strategies for new product introductions. He specializes in networking, cloud and information security, data management, data protection, disaster recovery and the storage industry. Ken is currently Senior Product Marketing Manager for all of SonicWall’s emerging cloud solutions.