Skip to main content


Data Protection at the Point of Sale

Oct 23, 2014 01:46PM ● By MED Magazine
By Eric Buzz Hillestad

When you think of Point-of-Sale malware, many people immediately think of the Target breach from recent history. Most people do not think of their local gas station, grocery store, hospital, or pharmacy. In reality, these systems are generally more vulnerable to malware than big stores like Target.

Point-of-Sale malware or POS malware is malware that is written specifically for exfiltrating customer payment data for networks in which these POS systems reside. POS malware has been successful due to its ability to elude most antivirus programs. It works by scraping the memory within the POS system and compiling those memory scrapes into an encrypted file. It can also capture key strokes. It then uses a command and control interface to communicate with the attacker responsible for the infection. The attacker can send the collected data back to their command and control servers any time via a simple command.

The various versions of the malware have been known to infect Java and Flash and can further inject malicious stubs into explorer.exe. This is a technical way of saying that it can further hide itself from your antivirus software. Meaning that if you are relying on antivirus alone for protection, you might not ever know you were infected. The intent of this malware is to hang on as long as possible giving the attacker as much card data as they can get before being discovered.

The worst part about this malware is that, currently, it seems to be running wild across the globe. The NCICC (National Cybersecurity and Communications Integration Center) as well as US-CERT (United States Computer Emergency Readiness Team) have been warning businesses about it since October of 2013. The United States Secret Service is currently tracking infections “compromising a significant number of major enterprise networks as well as small and medium businesses” as recently as August 22, 2014. Any organization that believes it is infected with Backoff, LAST, NET, or any other variant of POS malware should contact their local US Secret Service Field Office.

Unfortunately, protecting your organization against these types of malware threats is not easy and that is precisely why attackers use these attack vectors. Restricting user account access on systems is a good start. Uninstalling software that is not specifically needed for a business function can also help. Egress firewall filtering can prevent this malware from sending data out of your network. Additionally, application whitelisting and configuration change management can stop this malware dead in its tracks as well as some second generation firewalls.

Ask your IT folks about these security controls today. They could save you from a breach if implemented correctly!

 Eric Buzz Hillestad is Partner at Secure Healthcare Solutions, LLC and Principal Consultant.