Why Attacks Exploit Common POS SystemsParking Facility Hack Highlights Trend in Remote Access
A remote-access attack that compromised a parking facility provider with locations in Illinois, Pennsylvania, Ohio and Washington highlights how commonly used point-of-sale terminal and software brands are increasingly being exploited by hackers.
Like many other remote-access POS intrusions suffered by U.S. merchants in 2014, the breach at SP+, formerly Standard Parking Corp., will likely be traced to either weak remote-access log-in credentials or a common POS software vulnerability that hackers discovered through attacks waged against other merchants that use the same POS system, some security experts say.
"In 2014, we've seen a greater concentration in the exploitation of remote-access software," says John Buzzard, who heads up FICO's Card Alert Service. "And we find this to be the case for two reasons. If you're a hacker and you can just tunnel into the IP address, what's the first thing you do? You try 'admin' as the login and '1234' as the password."
Those remote-access credentials work about 10 percent of the time, Buzzard contends. But what's most concerning, he says, is that more than one merchant typically uses the same POS software and system with the same access credentials.
SP+ Breach Details
At this point, SP+ claims it doesn't know how many payment cards may have been exposed in the breach. And SP+ declined to share details about its breach beyond those noted in its Nov. 28 announcement, which does not include the name of the POS system vendor or the device hardware brand.
The statement also does not name the remote-access service SP+ uses, nor does it name the company's payments processor, which it says has been notified of the breach.
The statement does, however, list 17 locations in Chicago; Evanston, Ill.; Cleveland; Philadelphia and Seattle that were targeted, with some of the card compromises dating back as far as April 14. SP+ also notes that it was notified of the breach by its POS system vendor, which maintains payments systems used in "some" of its parking facilities.
"An unauthorized person used that company's remote-access tool to connect to computers that process payment cards in a limited number of those facilities," SP+ says. "Upon learning this, SP+ immediately launched an investigation and engaged a leading computer forensics firm to examine the payment systems in the parking facilities."
Using the remote-access tool, the hacker installed malware that searched for payment card data that was routed through computers used by SP+ to accept payments at certain parking facilities, the company says. "The information from payment cards that may have been captured by the malware is the cardholder's name, card number, expiration date, and verification code," SP+ notes.
The last known card exposure dates back to Nov. 4, SP+ says. Since then, the malware has been disabled on all affected servers, "and SP+ has required that the vendor convert to the use of two-factor authentication for remote access," the company adds. "SP+ is working with the computer security firm to implement additional enhanced security measures."
Whether other merchants serviced by this same POS vendor also were impacted remains unknown. But Buzzard says it's likely SP+ is not the only victim.
Buzzard says hackers check out POS vendors' websites to see all of the customers they serve. "They are looking for that thread - to see if it's widely accepted software," he says.
And once the attackers find a common thread, they exploit it, says Christopher Budd, global threat communications manager at security firm Trend Micro. "The specific tactic they use to compromise that system will vary," Budd says. "The attackers will find what works to get in and use it over and over again."
This approach has been used in numerous remote-access breaches throughout the year, including the April 2014 compromise of Texas-based liquor store chain Spec's, the June 2014 attacks on Connecticut-based car wash chain Splash Car Wash and the Vancouver, Wash.-based POS vendor Information Systems & Supplies Inc., which included compromised Dairy Queen, as well as the July 2014 remote-access attack waged against numerous restaurants in Delaware.
Most of these attacks have been attributed to Backoff, a RAM-scraping malware similar to BlackPOS that has been linked to several remote-access attacks this year. In August, the Secret Service and Department of Homeland Security issued an alert about Backoff, noting that more than 1,000 U.S. businesses were likely already infected by this malware strain.
Budd says these emerging attacks reflect the ongoing sophistication and continual evolution of POS malware. Today's malware attacks are what he calls "componentized," meaning they can be easily reused.
"Componentization is a hallmark of professional development," he says. "A good developer builds things in components, because they are reusable and they are cheaper. We are seeing more and more componentization in malware," a trend that has been emerging for the last two to three years, Budd says.
Essentially, hackers only have to tweak one component of the malware to make their attacks effective against different targets, he says. In the case of remote-access attacks, this technique is increasingly effective because most attacks are waged against businesses that either use a common remote-access software or POS system, or share a common POS vendor, Budd says.
"Remote access means the mode of access is going to vary based on the vulnerability of the target, but the malware that is launched could be the same," he says. "In the end, whether the malware is a variant of something out there, like Backoff or BlackPOS, or something new, doesn't really matter. ... What matters is that it's all about getting that debit card and credit card information."