Visa recently issued a Security Alert to merchants, acquirers, and point of sale (POS) integrators discussing the most recent attack vector used (successfully) by miscreants to gain access to critical systems – in this case, POS systems. This posting is not only to provide a high level synopsis of that notification, but also to provide general advice to help prevent this type of attack, and to assist you in providing ongoing user awareness training so that your company’s employees can remain vigilant. In short, criminals are using social engineering techniques to trick users into clicking on a link – one of the oldest tricks in the book, but the criminals are becoming increasingly convincing in their ability to trick people into believing it’s the real thing. In this case, the criminals are focusing on the management remote access vectors (e.g., LogMeIn, PCAnywhere) to obtain credentials, and then using those credentials to gain access to POS systems and install malware such as RAM-scraping software to obtain cardholder data.
Based on Visa’s alert, the attackers have been focusing this particular attack on POS integrators in spearphishing campaigns using spoofed LogMeIn emails, but frankly, this could apply to anyone, so best to share with the community at large. The emails either tell the user that their “subscription is about to expire” or that they should “download a new security certificate.” Once the user clicks on the link, bad things happen. In this case, the injected malware attempts to “connect to an overseas server, downloads additional malware, disables anti-virus applications, installs keystroke logging to steal login credentials, injects custom code into web pages and establishes ‘backdoor’ remote access connection to infected systems.” Ultimately, the cybercriminals deploy RAM-scraping software to scan POS system memory and potentially capture credit card information.
It still all boils down to the same issue over and over again – criminals are finding ingenious ways to get people to assist them in opening the back door to introduce malware into your environment. If only there was a way to harness that brainpower and energy for good purposes, there’s no telling how many additional advances would be possible. But, since cybercriminals are incentivized in their own way (e.g., financially) to outsmart companies, the best we can do for now is learn from others’ misfortunes to try to prevent history from repeating itself. In short, once information like this is public knowledge, you would not be practicing due diligence if you were to not try to do the reasonable things to take preventative action. A large percentage of your security posture is based on your ability to protect yourself against the known.
So, what can we do?
Awareness and proper link-clicking hygiene: You hear it at the airport every five minutes – “Security starts with you.” Security is as good as your weakest link. All employees should be regularly reminded of the latest tricks – don’t make security awareness training a once-a-year exercise. In this case, users should NEVER click on a link from someone who claims that they are a software vendor, even if it’s the real vendor. I don’t care HOW convincing the email appears to be. Proper hygiene dictates that ALL patches/upgrades be obtained from that software vendor’s site and NOT from the link. Period. If you are not sure, ask your Helpdesk or Helpdesk/equivalent. This should go for ALL emails or pop-ups (e.g., Adobe) that ask you to click on a link. Take the few minutes to ask/research. When there’s a knock on your front door, would you open it without seeing who it is first?
Access to your critical systems: I’ve blogged about this before and find it to be increasingly critical – for the systems/applications that are critical to your business, make sure you implement two-factor authentication. Then, even if the cyber criminals obtain credentials, they are dead in the water from that perspective, because they may have what you “know,” but they don’t have what you “have.” Also, use only remote access technologies that are secure, and make sure that your remote access solution is within the scope of your periodic pen test (to help verify that it is reasonably secure).
Firewalls and access controls: This should go without saying, but time and time again we come across clients whose outbound firewall rulesets are on the overly permissive side. Allow inbound remote access to only particular known IP addresses using only the ports/protocols that are required. Block all outbound access for systems that don’t need it (e.g., POS systems) as that just adds a potential can of worms to the equation. And if your POS system is directly accessible from the Internet, you may as well be wearing a “Kick me” sign on the back of your shirt.
Third Parties: For entities who use Third Parties to access their critical infrastructure – allow for remote access explicitly, and only during the window when it’s needed. The rest of the time it should be disabled. These third parties should also be subject to using two-factor authentication, no matter how much you trust them. Don’t be lazy and just keep the remote access accounts enabled for “ease of use” sake.
Security 101: Patch your systems regularly, keep your anti-malware software up-to-date, change all default passwords/credentials, make sure that your POS integrator (if applicable) is not using common credentials across multiple clients, monitor systems for anomalous behavior.
While there are no earth-shattering revelations in this blog post, it should serve as a constant reminder to remain vigilant. In the asymmetric world where the attackers are commonly more nimble than the attacked, you cannot afford to let your guard down.