Welcome to PoS Malware, brought to you by IBM. In this video, we'll learn how malware makes its way onto PoS devices. We'll learn about the different families of PoS malware, and then what happens to the information once it's stolen. Let's get started. Point of sale systems require some connection to a network in order to contact external credit card processors. This is necessary in order to validate credit card transactions. Sufficiently skilled and determined attackers can go after business's PoS terminals on a large scale and compromise the credit cards of thousands of users at a time. The same network connectivity can also be leveraged to help exfiltrate any stolen information. Most point of sale systems run on Windows or Linux, making them essentially small computers. Cybercriminals usually gain access to a company through their network. Once inside, the point of sale malware can select which data to steal and upload to a remote server. Most point of sale malware comes equipped with backdoor and command and control features. Now the industry uses end-to-end encryption of sensitive payment data, which comes from the cards magnetic strip or chip when it's transmitted, received, or stored. Decryption only occurs in the point of sale device's random access memory or RAM, where it's processed. PoS malware specifically targets the RAM to steal the unencrypted information, a process called RAM scraping. These are the most common and readily available families of point of sale malware. The Alina family malware scans the system's memory to check if the contents match regular expressions, which indicate the presence of a card information that can be stolen. Vskimmer, if it does not find its server, it checks for the presence of a removable drive with the specific label. If this drive is found, it drops a file that contains any stolen information onto it, allowing for a method of offline data exfiltration. With the Dexter family, it's information theft activities are not limited to just stealing card information. It also steals various system information and installs a keylogger onto affected systems. The FYSNA malware uses the Tor network to communicate with its C&C server, and it makes detection and investigation difficult by making all the network traffic made by the malware extremely difficult to analyze. The Decebal malware checks if sandboxing or analysis tools are present on a machine before running, making detection and analysis that much more difficult. The most popular, the BlackPOS, uses file transfer protocol to upload information to a server of the attackers choosing. This allows attackers to consolidate stolen data from a multiple PoS terminals on a single server. A couple of things to note. One, PoS malware is rarely used without the aid of other malware. Two, we call these families of malware because they are adapted and updated over time. Let's go ahead and look at some of those updates. As you can see, most of the malware that we discussed or aliases of the malware we discussed have been adapted, updated, or changed over time into new and improved versions that either offer new functionality or are more difficult to detect. One thing they all have in common, though, is they're there to steal financial data. Now you may ask, "Well, what happens if my data is stolen through a PoS breach?" Let's cover that now. Once your data has been stolen, the criminals will sell the information to brokers who buy the payment card information in bulk and sell the information to carders. These are people who use a cader website, such as the one on the left here, to obtain payment information, which they will purchase prepaid credit cards with. Those credit cards will be used to buy gift cards, which are then used to buy goods to sell for profit. To make it more difficult to track, the items are not shipped directly to the end user, they're shipped to a re-shipper, who then ships it to the end user making the transaction very difficult to follow from end to end. So then how do we prevent PoS breaches? It turns out the best offense is a good defense. More often, hackers gain entry to your network via phishing attack, unpatched vulnerabilities in your PoS software, or similar risks. The smartest method of prevention is to utilize tools for real-time detection and PCI compliance monitoring. A list of best practices is as follows. Actively monitor your PoS network for changes. Use compliant best-of-class, end-to-end encryption around cardholder data. Limit the host that can communicate with your PoS system. Adopt chip-card enabled PoS terminals. Utilize employee screening and training to minimize insider threats, and train employees to immediately detect and report possible signs of tampering.