Shlomi Boutnaru, CTO, CyActive
Shlomi Boutnaru, CTO, CyActive

From Target to Home Depot, major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems. While Fortune 500 companies are scrambling to defend themselves against these breaches, petty cyber criminals are simply reusing malware that has already been used to steal credit card information in the past, and developing new variants to use in future attacks.

The infamous attack on Target reused the BlackPoS malware, which had already done damage a year before. Components of the very same malware may have been reused yet again to steal millions of credit card details from Home Depot.

In fact, the Backoff malware that has wreaked havoc on over 1,000 U.S. retailers has nine recycled components.

The economic damage from stolen credit cards runs in the millions, while copying malicious code and methods to steal those millions is free.

When major retailers and financial institutions fall victim to these attacks, there is a clear and present danger to companies large and small. Yet there are steps to mitigate this risk, and step number one is understanding exactly what is behind these attacks.

When Target and Neiman Marcus were hacked last December, cyber thieves stole around 40 million payment card details using a variant of the BlackPoSmalware. The next known point-of-sale (PoS) attack compromised over 1,000 U.S. businesses between 2013 and mid-2014 using the Backoff malware. Now it has been argued by Brian Krebs that yet another variant of BlackPoS stole credit card information from a large portion of the Home Depot retail chain stores. Though a recent report puts the blame on a new malware named Mozart, it should be noted that most malware dealing with similar targets reused methods of collection and exflitration of data.

The bottom line is that all three attacks used recycled versions (variants) of PoS malware, whose purpose is to compromise the operating system (in the case of BlackPoS, MS Windows) of credit card sales devices, giving the attacker access to user rights on the device, and consequently to the information stored on it. The malware is then designed to locate the credit card data that is stored temporarily on the device before a charge is completed, and exfiltrate it back to a server used by the attackers.

What you need to know:

1. When your business is closed, do you trust the locks alone to prevent break-ins? I bet you don't. You have an alarm system, and maybe even a movement detection system, or a surveillance camera. These are considered basic safety equipment for any business today. The same goes for your computer network. Trusting an anti-virus system alone to keep cybercriminals away is the equivalent of locking your doors and hoping for the best. For them, your network will be a treasure trove just waiting to be opened. If you want to keep cyber thieves away, you need to add more proactive defense mechanisms, search for the vulnerability in your system, and adapt it to deal with the latest malware methods.

2. Remote connections (such as RDP and logmein) are your Achilles heel. If their passwords are easy to break, you're giving the thief an easy way in to your network. Make sure all users of such software in your company use irregular passwords that will be hard to guess.

3. Your point-of-sale software, and in some cases your anti-virus software, is where the malware latches on to your devices. Prevent the malware from reusing known exploits to compromise your devices by frequently updating these programs, and for that matter, all the programs on your devices.

4. Malware methods, such as the way the malware installs itself on the device and the way it exfiltrates the stolen data, are reused all the time by different malware. The bottom line is that these attacks are preventable with the help of the very latest technology. Get your IT team to stop thinking like reactive defenders, and start working proactively. The next attack might not be identical to previous attacks but odds are that at least one component in the attack chain will be reused. The latest methods take this into account to detect new iterations of previous vicious code. So shield yourself with proactive defense mechanisms.

PoS malware attacks have reached epidemic proportions. The situation has gotten serious enough for the Department of Homeland Security to get involved. In the case of Backoff, the attacker simply had to take code and methods from earlier malware, add a few extra tweaks and put it to work. Had Target and Home Depot put a proactive defense system in place, they wouldn't have fallen prey to the reuse phenomenon.