In conjunction with a U.S. Secret Service investigation, Trustwave SpiderLabs researchers have unearthed a new family of point-of-sale (POS) malware.
POS malware is a sinister and often difficult-to-detect threat that preys on retailers running Windows-based payment terminals. This menace has been around for many years, but has now become the preferred fraud method by which cybercriminals fleece retailers of huge amounts of payment card data. The newly discovered POS malware family is called Punkey – a name inspired by a combination of the code’s functionality and the 1980s sitcom “Punky Brewster”.
We asked Trustwave Threat Intelligence Manager Karl Sigler to help us better understand the malware’s capabilities and steps organizations can take to detect and prevent it and similar threats.
Q: What is Punkey and how does it make it onto POS systems in the first place?
A: Punkey is a family of POS malware that infects point-of-sale systems to steal payment card information. Typically Punkey would be installed by exploiting easy-to-crack passwords used for remote access software on the POS systems or through cashiers using the POS system to browse malicious websites or open phishing emails.
Q: Once the malware has infected a POS system, like a credit card reader or cash register, what does it do? How does it steal card numbers?
A: Once installed, Punkey hides itself as a part of Explorer, one of Windows primary processes. Like a lot of POS malware, Punkey uses memory scraping to grab credit card data and keylogging to capture anything typed into the infected system. The stolen data is then sent back to a command-and-control (C&C) server to be collected by the criminals.
Q: How difficult is it to detect/remove Punkey?
A: Punkey is not hard to remove once you know what to look for. Now that we’ve been able to analyze the malware and make our findings public, organizations should be able to use standard anti-malware solutions to detect and remove Punkey. Our research team has also published specific indicators, such as the files used by the malware as well as network traffic samples that security teams can use to discover and eradicate Punkey from their systems.
Q: How widespread is Punkey?
Not horribly widespread yet. It’s pretty targeted. The C&C instance we investigated had 75 instances of Punkey reporting to it, so that means around 75 infected POS systems most likely.
Q: In terms of its functionality, how does it compare to previously discovered POS malware?
A: Punkey is a bit more advanced than most of your typical POS malware. Most POS malware doesn’t bother to hide itself using similar injection and encryption techniques. Punkey also maintains regular communication with a C&C server, not just to upload stolen payment card data, but also to download updated versions of itself and any additional malware the criminals behind it may decide to use.
Q: Why has POS malware seemingly become such a big threat over the past 12 to 18 months, and is there any slowing it down?
A: Criminals follow the money, and infecting a POS terminal that might swipe thousands of payment cards is a very lucrative avenue for them. Hopefully protections being put in place like chip-and-PIN- based cards and point-to-point encryption will force criminals to look elsewhere.
Q: What can organizations, like retailers, do to protect themselves from this threat and others like it?
A: Organizations – or their security partner, such as a managed security services provider – should run updated anti-virus and intrusion detection system solutions, as well as monitor their networks for anomalous traffic. Organizations should also educate their employees to follow best security practices, such as only using POS systems for what they are intended for and not to browse the web, check email, play video games, etc. For POS systems that use remote access control technology, organizations should ensure that the software is kept up to date and can be accessed only by strong passwords or two-factor authentication.
Q: And finally, why is it called “Punkey”?
A: The malware uses a variable called ‘unkey’ to send the data to the C&C server, and the data is sent using an ‘HTTP POST’ command. So Punkey is a portmanteau of ‘POST’ and ‘UNKEY’: P(ost)unkey, or Punkey. And that’s a name that might ring a bell.
For more information about combating point-of-sale attacks, check out this blog or download this white paper from SpiderLabs. In addition, if you’ll be at the RSA Conference 2015 in San Francisco, Trustwave Vice President of Managed Security Testing Charles Henderson is scheduled to present on the topic of POS malware.