The lack of visibility into POS attacks provides an environment where attackers can operate with as much time as they need to find and compromise a key asset such as an Active Directory or patch management server that will expose the POS payment processing gateways. Once identified, the attacker deploys malware through the patch-management software and then compromises the payment processing application using a RAM scraper as a final payload of the attack to steal and upload card data. The report adds that once compromised it remains a constant challenge for organizations to have visibility into how widespread the attack may be and how to conclusively shut down these attacks.
It also points out that many of today’s POS devices are particularly vulnerable to malware since they run on older, unprotected Windows XP or even DOS based systems in which anti-virus is not available. Additionally, in some cases, the patch management systems run in a trusted mode and there may
not be anti-virus running at all. The report notes that having an endpoint security solution is not a fail safe way to prevent attacks because many of these attacks are targeted and originate from the endpoints using stolen credentials to breach the systems.
The report covers:
- Details of the vulnerabilities and three cases of breach within large, regional and mid-sized retail organization
- The anatomy and findings from these attacks
- Recommendations for early attack visibility and detection
Accoding to Attivo Networks, this is the first time deception technology was used to provide visibility into a POS attack, as well as defeat it. Researchers introduced deception technology into POS networks and found that creating lures and decoys could successfully trick attackers into revealing themselves through initial and ongoing attack phases.
Based on this research, Attivo Networks predicts that in 2017 there will be a significant increase in reported POS attacks, largely due to the high probability that these systems have already been breached and attackers are already active throughout many networks today, undetected and unchecked.