ransomware-businessAccording to the report, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” Point of Sale (PoS) Random Access Memory (RAM) malware targeting Small to Medium Businesses (SMBs) is on the rise. Some threat actors have now industrialized PoS RAM malware by deploying traditional mass-infection tools such as spam, botnets and exploit kits which are expected to be a sizeable threat for SMBs for the foreseeable future.

PoS RAM malware is only the most recent threat that SMBs have faced. In fact, they have been the target of opportunity for criminal gangs for centuries. Historically, SMBs were, to a much lesser extent today, cash-based enterprises that largely faced physical theft of goods, services, cash and checks. It was not until the 1980s there was a fundamental shift to and reliance on noncash payment systems—including general-purpose and private-label card systems, automated clearinghouse (ACH), and checks. Fraud losses in noncash payment systems alone have increased from approximately $110 million in 1980 to more than $16 billion in 2015.

Large-scale payment card data theft facing SMBs prior to the 1990s were concentrated physical breaches, whereby card data and even bank account data were physically compromised through skimming (physical copying of track data from the magnetic stripe) operations. Even with the advent of new, more complex payment systems, criminal gangs still predominantly targeted SMBs at the local level. They continue their offensive today through targeted skimming operations on financial, hospitality and retail organizations.

Cyber comes into play

The globalization of the Internet in the 2000s ushered in the globalized cybercriminal gang. This new brand of criminal enterprise has evolved along with the ecosystem that supports it, the Deep Web. Cybercriminals have been extremely successful in adapting not only to technology advances in payment systems but, equally to their associated security controls.

In the early 2000s they targeted businesses that processed, transmitted and/or stored large amounts of unencrypted payment card data as evidenced by breaches to large retailers such as TJX and processors like Heartland Payment Systems. Likely in response to Payment Card Industry mandates requiring the use of strong encryption with all payment card data at rest and in transit, by the mid-2000s cybercriminals had adapted and began focusing efforts on harvesting card data in memory.

Even though, by most accounts, PoS RAM malware was let loose around 2008, it didn’t really gain wide attention until the massive Target breach, and numerous other retail breaches from 2013 to 2015.

What has made PoS RAM malware and the cybercriminal groups behind their use so effective? It has been the evolution of the malware and the threat actors behind it. Today, PoS RAM malware is highly-specialized and customizable:

  • Customization usually comes in a single binary package; including varied networking functionality (e.g., File Transfer Protocol [FTP], Tor, HTTP, etc.) to receive commands from command-and-control (C&C) servers
  • Exfiltrates stolen card data to remote servers
  • Leverages encryption for secure exfiltration through multiple channels;
  • Equipped with a kill switch functionality to effectively remove all traces of a breach
  • Incorporates development kits for further customization for targeted attacks

These cybercriminal groups have evolved as well and have successfully targeted and infected thousands of PoS terminals in large retailers to aggregate and obtain millions of credit card accounts. Last year, Hilton and Starwood Hotels reported breaches using PoS malware, although it is still not known which malware family was recovered.

SMBs under assault

During the last few years SMBs have not been immune either. They have been equally affected in aggregate by PoS malware, however they do not get equal billing when it comes to media attention. According to research, PoS RAM malware detection was up 66 percent, with 47 percent of those targeting SMBs.

This increase in infection rates can be attributed to threat actors leveraging mass infection tools, including the Angler Exploit Kit, Andromeda Botnet and traditional malware laced-spam. This new infection strategy, coupled with inherently vulnerable SMBs with little or no cybersecurity strategies or programs, ultimately lead to the greatest threat SMBs will face in the coming year.

Recommendations and Solutions

  • Install Payment Application Data Security Standard-compliant payment applications
  • Deploy anti-malware security tools with web, file and email reputation to protect against malware attacks.
  • Use network, cloud and host-based IDS/IPS tools to shield unpatched vulnerabilities.
  • Use trusted firewalls to provide a customizable perimeter around servers.
  • Assign a strong password to security solutions to prevent application modification, using two-factor authentication (2FA) whenever possible
  • Ensure checksum comparisons are conducted to validate any automatic updates from third parties
  • Disable unnecessary ports and services, null sessions, default users and guest.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis
  • Implement least privileges and ACLs on users and applications in the system

By deploying a multi-layered security program within an organization, one can design a risk management strategy to be resilient against cyber attacks.

A version of this article originally appeared on Trend Micro’s blog.