A sale being made in a cafe

Retail security: XP expires as new POS-centric malware steps-up

For many shopkeepers Windows XP was a cheap and capable operating system on which to run their applications – but Microsoft has ended its support of XP as new retail-targeting malwares have appeared. And will new point-of-sale models prove any safer?

On 8 April 2014, after 12 years, Microsoft's support for its Windows XP operating system came to an end. The software giant discontinued security fixes, software updates and technical support to home and business users, with the sole exception of very big XP sites which could afford to pay millions to extend the cut-off date by an extra year.

During its active lifetime, many retailers had come to rely on Windows XP to support its point-of-sale (POS) systems and other retail-related applications. The termination of this support compels them – in theory, at least – into making significant upgrading decisions that they had perhaps been putting-off. One large UK retail original equipment manufacturer, with tens of thousands of POS systems in the field, has already admitted that up to 20 per cent of its retail end-users are still on Windows XP Pro.

Yet despite discontinuing its support, a month after the 'retirement' of Windows XP, Microsoft released an urgent, if unexpected update to fix vulnerabilities found in Windows XP and Internet Explorer. Security firm FireEye detected a bug that enabled hackers to gain full access to a victim's computer by redirecting them to malicious websites. According to FireEye, the attack, dubbed 'Operation Clandestine Fox', mainly targeted government organisations, and energy, defence and financial sectors. Microsoft claimed this 'one-off' patch is "based on the proximity to the end of support for Windows XP".

Put starkly, XP upgrade laggards now find themselves in a situation where it is absolutely necessary to upgrade not only to avoid security threats, which can ultimately place business continuity and business and consumer data at risk, but also to ensure that they have not fallen foul of the operating requirements that permit them to process credit card and debit card payments.

This is, of course, a stringent impact. The discontinuation of XP support affects the retailer's Payment Card Industry (PCI) compliance status. The PCI Data Security Standard is a proprietary standard for organisations and businesses that handle cardholder information for the credit, debit, prepaid, e-purse, ATM, gift vouchers, and other types of POS customer cards.

Generally, compliance says that a computer operating system that's no longer vendor-supported is in violation of the agreement through the risk of security breaches. This places further strain on retailers continuing to run their POS systems on Windows XP, as they will no longer meet the PCI standard and could be fined up to $100,000 per month by the PCI Security Standards Council.

Upgrading a POS system is no simple undertaking for smaller retailers. POS systems have got much smarter in recent years, having evolved from relatively straightforward cash registers into multifunctional systems, embedded with inventory management and stock-control functionality along with other retail support applications.

POS systems are essentially high-performing computer platforms with similar technology to that found in devices used in other vertical sectors, using common system software and communications configurations. Mainstream operating systems such as Windows XP that can run industry-specific applications were a boon to small- and medium-sized retailers who otherwise would have had to enter into contractual arrangements with suppliers of expensive electronic cash tills. These are based on proprietary hardware and software solutions from the big incumbent specialist solutions vendors including IBM, NCR Corporation, and Siemens Nixdorf.

USA software firm MSS launched the first Windows-based POS applications running on Windows in 1992. Several other solutions specifically for retail environments subsequently appeared, including a suite of products from Microsoft itself. However, as with other usage outgrowths built on the de facto industry standard, Windows-based POS came to the attention of cybercriminals aware of the fact that such systems were handling valuable transactional data such as credit card details.

As Windows-based systems were popular with smaller retailers with limited budgetary resources, these systems became especially vulnerable to surreptitious attacks such as having malware 'injected' into them without the retailer knowing.

Microsoft's response to the growing threat, which consisted of regular software 'patches' specifically designed to address known threats and installed via automatic updates delivered through the Internet, meant that for years Windows XP continued to be a relatively secure and stable operating environment, which recession-struck retailers were, understandably, reluctant to migrate away from.

"Windows XP end-of-life has arrived with vast numbers of legacy applications left potentially unsupported and vulnerable to security attacks - unless, of course, you're happy to pay Microsoft for extended support," according to Chris Strand, director of compliance at endpoint and server security firm Bit9. "The costs will be prohibitive for many retailers, with premier support over three years running to almost £1,000 per POS system."

Strand adds: "What's more, large retailers with distributed systems that aren't powerful enough to run Windows 7 or Windows 8, and their POS equivalents, are facing an infrastructure nightmare with hardware and legacy application upgrades needed to support new operating systems."

New generation of cyber-threats

Malware challenges to the retail sector are not new. The first well-known incident occurred in 2005 when computer hacker Albert Gonzalez and two Russian accomplices orchestrated the theft of 170 million credit cards from US retail stores HomeGoods, T.J.Maxx and Target.

The last decade has proved POS attacks are on the up as increasing numbers of retail stores, supermarkets, restaurants, hotels and visitor attractions – in fact, any business that processes debit and credit card payments – has been targeted by cyber-criminals.

The latest big breach – at US multiline chain Target and Neiman Marcus was hacked for the second time this year – suggests that even where advanced security measures or an alternative payment solutions are in place, the determined hacker will find a way to get round or through them.

According to cyber security company Trustwave's most recent Global Security Report, the retail industry topped the list of the most-targeted industries in 2012 – and there are some indications that the ending of Microsoft's support for XP will reveal some additional vulnerabilities.

The report also revealed that systems which store, process or transmit cardholder data remain primary targets. As a result of this, POS systems topped Trustwave's most targeted assets at 47 per cent.

"Many mainstream businesses are probably aware that they are running Windows XP on some of their desktops, and also that the end-of-life deadline is quickly approaching," says Trustwave's managing consultant Mike Park, "but I am not sure that the same awareness applies to many retailers running XP on their POS systems – because many do not even realise that fact."

The biggest challenge is keeping payment card information secure during the swipe, the processing procedure, and then as it is transmitted to back-end store servers when the transaction is completed, Park believes. He adds that the concern generated in retailers over XP support discontinuation has drawn attention to some generic aspects of POS security that still need to be remediated.

Malware makers seem to have been relatively slow in going after the opportunities presented by computerised POS systems, but now seem intent on making up for lost time – and lost opportunities. In December 2012, just in time for the Christmas shopping season, a new species of malware surfaced and was discovered in hundreds of POS systems around the world. Dubbed 'Dexter' (which came from the string 'BKDR_DEXTR.A'), the malware, discovered by Israel-based security firm Seculert, is a data-theft tool designed and used specifically to target and attack POS systems.

The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card data, but with the uniqueness of the attacker having full control.

It works by injecting itself into the iexplore.exe file in Windows servers through rewriting in the registry key. It then extracts sensitive credit-card data from the server, before transferring it through a remote command-and-control system.

The magnetic strip on a credit card contains three 'tracks', and Dexter attempts to remove data from memory relating to tracks one and two, containing numeric and alphanumeric data that can be used to clone the card used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. This enables the attacker to control the change in times and embed additional malware, or even remove Dexter altogether.

"The defensive strategy for retail should be to make it more expensive for attackers to infiltrate, more expensive for attackers to hide when they are performing their operations," advises TK Keanini, CTO at cyber security solutions provider Lancope, "and make it more expensive for attackers to infiltrate the stolen data from their network."

Point of sale malwares

Since the Dexter scare, other POS malwares have resurfaced. Keanini says BlackPOS, ChewBacca, vSkimmer and Alina are also in his top five of renowned POS malwares.

US retail store Target experienced its second notorious breach over the 2013 festive period, where payment and personal information was stolen from up to 110 million individuals. Thomson Reuters reported the breach involved memory-scrapping malware, which was later identified as BlackPOS.

In his 2014 'POS Malware Targeted Target' report, Seculert's co-founder and CEO Aviv Raff explains how BlackPOS differs to Dexter as the attack occurs in two stages, a common attribute of an advanced threat. BlackPOS was able to extract credit card numbers and personal details from Target's POS systems; it then remained undetected for six days before beginning to transmit stolen data to an external FTP server using another infected machine with the Target network. The cybercriminals downloaded the data using a virtual private server and in total stole 11 gigabits of sensitive customer information.

As a result, Target may be forced to compensate millions of fines to credit card companies if it is found that the company failed to secure its network. Furthermore, it will also have to pay compensation to any banks which had to issue new cards to customers. As well as this, customers are already filing lawsuits.

If retailers of any size fail to upgrade their POS systems, they are not only facing malware challenges but also the cost to recover from the initial damage.

Earlier this year, researchers at RSA Security discovered that cybercriminals used custom-built malicious software, dubbed 'ChewBacca' (after the Star Wars character), to infect 45 retail POS systems using key-logging and memory-scrapping functionality. The malware monitors the memory of running processes and checks for data that matches the format of customer credit and debit cards. According to RSA Security, the malware appears to be used by a single group based in Ukraine.

Keeping up with the malware

An updated version of Dexter, called vSkimmer, is capable of stealing credit and debit card information from POS systems running on Microsoft Windows. It then sends the data to a control server.

According to MacAfee's security analyst Chintan Shah's blog, "the malware uses a standard installation mechanism and copies itself as svchost.exe into %APPARA%, and modifies the registry key to add itself under the authorised list of apps and runs ShellExecute to launch the process". Additionally, Shah explains: "If the Internet is not available, vSkimmer is to wait for a USB device with the volume name KARTOXA007 to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive."

Last on Lancope's Keanini's list is Alina. First discovered in 2012, the RAM-scrapping malware is not unique, but the US security body SANS Institute declared it to be one of the most "dangerous techniques" to use as this type of malware is capable of finding the weak areas in encrypted data.

Researchers at Dell SecureWorks Counter Threat Unit's 2013 'Point-of-sale malware threats' report revealed that, as well as the malwares mentioned, Citadel is another prolific malware that has been infecting POS systems. Once the malware injects into the system, it captures data by taking screenshots and key logging – every time the left mouse button is clicked while browsing the payment process, a screenshot is taken and sent back to the botnet owner.

From this, the attacker has access to usernames, passwords and account information. The key logger process means that each time the victim types anything, the keystrokes are also sent back to the owner.

Trustwave's Mike Park adds: "Without conducting frequent security testing – either vulnerability scanning or penetration testing – the business would most likely not even know the vulnerability existed." 

Additional editing by Miya Knights.

Further information

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them