2014 will be remembered for many things. But for those whose credit or debit card information was swiped in a data breach, it may be remembered as the year when a wave of point-of-sale malware crashed into retailers big and small.
In its annual Global Threat Intel Report, security firm CrowdStrike noted that criminals began increasingly turning to ready-to-use point-of-sale (PoS) malware kits in the cyber-underground. According to Adam Meyers, vice president of intelligence at CrowdStrike, the price of these kits varied depending on their complexity, with some going for tens of dollars and others costing in the hundreds or thousands.
The attacks infected terminals with malware designed to steal credit card information as they are swiped by customers. The malware runs in the background of the terminal, and continuously scans memory for unique patterns found on a card's magnetic strip and send matching data to an attacker-controlled server, the report explains.
"In 2014, while several major companies were coping with breaches of their PoS infrastructure, many smaller retailers were facing the same threat from less-organized groups," according to the report.
"Malware such as BlackPoS requires a bit of strategic planning on the part of the adversary; much of the system lacks the point-and-click intuitive nature of commodity botnets," the report continues. "For less-organized or less-skilled adversary groups, an off-the-shelf kit such as Dexter PoS may allow for exploitation and offensive capabilities that may not otherwise be possible."
The report notes that the explosion of PoS malware may be mitigated by the adoption of EMV standards (Europay, MasterCard and Visa) as well as the growth of payment options such as Google Wallet and Apple Pay.
"Adoption of these newer payment processes should provide consumers with more secure payment methods and make it more difficult for criminals seeking to make money off these systems," according to the report. "There will be some lag time in 2015 as retailers and banks move to put these improvements in place, during which cybercriminals will still be able to exploit the current, antiquated payment processing systems in the U.S. However, the newer processes, once in place, should lead to a decline in the type of PoS attacks seen over the past year."