Telefónica Trend Report: The PoS Malware threat in 2015

Tuesday, June 23, 2015

A few weeks ago in the United Kingdom, cashless payments overtook the use of notes and coins for the first time. This is the latest demonstration that, while worldwide cash still remains king, the balance is slowly changing. We present here, a complete study about PoS malware state of art, evolution, figures, countermeasures... These are the main ideas from the report.

Although the smartphone has been the catalyst for the shift towards more secure mobile payments, credit and debit card transactions at point-of-sale (PoS) still remain the main entry point of consumer data into merchants’ information environment. Perhaps an obvious point, and one certainly not missed by cyber-criminals if the "mega breaches" affecting major U.S retailers in the past few years are anything to go by.

Illustration of PoS malware breach headlines, 2002- 2015

Targeting the weak link in PCI-DSS, cyber criminals have refined PoS malware, employing "RAM Scraping" techniques to parse memory processes on PoS terminals before card data is encrypted. It is now a mature cybercrime model, responsible for the majority of confirmed data breaches and feeding a booming underground marketplace. Focusing too much on the headline-grabbing breaches belies that from a frequency perspective, small and medium sized enterprises are most affected; criminals are after the money, not the headlines. However, awareness has undoubtedly risen, and the average time between breach and detection appears to be narrowing, but the number of detections in Q1 2015 outstripping the previous two years is also a narrative of soaring propagation rates.

Frequency of incident classification patterns with confirmed data breaches

Industries with high card transaction volumes (particularly hotels and entertainment) in addition to the more obvious retail sector, are most at risk from PoS malware. The size of the U.S economy combined with the late adoption of EMV "Chip and Pin" technology ensures it will almost certainly remain the most targeted during 2015, and an attack surge within the target rich environment is possible before the October implementation deadline. Although even when EMV is implemented, data remains that enables fraudulent e-commerce transactions. In large enterprise, the drive for innovation at PoS can see security overlooked in favour of the consumer experience and integration with other business applications. Secure technology that would hinder PoS malware such as end to end encryption is often unrealistic for small and medium sized businesses to implement. Conversely, criminals are able to call upon a readily available and proven PoS malware codebase, unthreatened by obsolescence of a PoS data environment set to remain largely Windows XP based for several years to come.

Evolution of PoS malware variants
Technical analysis reveals heavy development occurring across a few key codebase variants, with some strains adopting nation-state level complexity and others stripping back and removing unnecessary overhead. The overall malware campaign, in particular the exfiltration of stolen data can be complex, and is often based on detailed network knowledge.
Figures in millions (pounds) of UK credit card fraud and countermeasure implementation date

While it is possible that large companies may be able to limit the impact of protracted "mega breaches", the risk of smaller more distributed breaches remains, and the upwards trajectory of PoS malware in 2015 shows no signs of slowing. However rather than be overawed in the face of the threat, it should be remembered that common PoS network intrusion methods such as phishing and attackers using default passwords are often targeted but nothing new.

PoSeidon Logo and a phishing email campaing used to target PoS vendors

Ben Walton

"Incident Response Management": Attitudes of European Enterprises

Friday, June 19, 2015

We have recently sponsored a new research study conducted by Pierre Audoin Consultants, PAC, focused on "Incident Response Management". The results detailed are compiled from a survey conducted among large enterprises in France, Germany and the United Kingdom.

The report provides key insights into the reality of security breaches and how enterprises are dealing with the current threat landscape. 67% of companies report that they were breached last year and all admit to having been breached at some point in the past. 43% of those companies rate the incident severity high or very high. With an average direct cost of €75k per breach plus indirect costs associated with taking one to six person months to recover from a breach companies have to accept that breaches are inevitable and adapt their strategies accordingly to face this new reality. Not surprisingly over the next two years companies expect a shift in their security budgets between the traditional  protect and prevent services versus detection and response from a ratio of 4:1 to 3:2.

The shift towards a proactive security strategy
We believe this trend will only accelerate and that incident response is an important element of a more proactive security strategy being employed by enterprises.  This new threat landscape is reflected in the standardized security services within our portfolio designed to detect and mitigate security incidents, including Phishing or Malware, Brand Abuse, Pharming and the ongoing concerns associated with Customer Credential Markets. In addition we provide customised solutions and expert teams to support enterprises address advanced incidents including forensic analysis.

We continue to invest in the development of our Cybersecurity services portfolio in order to provide enterprises with actionable intelligence to help them identify the impact of attacks on their business. This includes insight into the effects on their brand and reputation across their digital estate, including the internet, web portals and social networks, the detection of online fraud and the identification of threat actors, their motivations and attack methodologies.

Security technology provides an incredible amount of data. This drives a key challenge within the security industry, the need to rationalise this data and identify a clear picture of what is occurring and what it means. Importantly, much of the relevant information lies outside of the enterprise, driven by the fact that there is no longer a defined perimeter and because most of the threats are executed via the internet. It is crucial that we are able to provide insight into the current security landscape and clearly articulate the current status for enterprises. Not surprisingly, the PAC study details how companies are challenged by the lack of in-house threat intelligence skills with 38% of security teams identifying this as their main source of concern.

Don’t just stand there, prepare!
Detecting an incident rapidly and effectively means that enterprises need to be ready. The need to prepare and react are two sides of what is usually a single problem. When we consider the need to prepare for a cyber-incident response it is clear that while incidents are out of our control, in that we cannot predict who will attack, when it will occur or what will happen, organizations crucially should expect an attack and be prepared to react appropriately. 86% of enterprises recognise this and within the research identified the need to be ready as central to their strategy. This proactively manifests itself in the form of implementing strategies that will help if and when the breach happens. This includes a CyberIncident Response Strategy or Plan that is maintained and tested.  It includes a crisis handling plan, roles and responsibilities post-discovery and communication plans etc. By having these key items in place and creating controls that allow the discovery of incidents, companies are better prepared for an organized post-incident response.

To notify or not notify, that is the question
The new European regulation with the inclusion of the mandatory breach notification is yet to be issued, however, companies are exploring what this will mean to their businesses. 87% of respondents indicated concern with regard to this change. Responding to an incident is not only a technological challenge it has a negative impact on a number of elements within any organization. The technological response mainly addresses the need to safeguard core aspects including communication, both internal and external, minimizing business operational impact and ensuring continuity. Breach notification requires technological support which produces the right type of information in a reasonable timeframe but also a communications challenge to ensure that any public announcement is effectively managed. This is reflected in the responses captured. 71% of respondents raised this as a key concern whilst 52% considered this a more important challenge than the technical issue. As the legislation initiative evolves, the need for enterprises to develop their cyber-incident response plans becomes paramount in order to be able to manage these issues. We believe this is why increasingly cyber-incident response plans are either linked or even included in the business continuity plan. Many of the softer skills required to manage an incident, will be the same regardless of the nature of the incident. As the market matures, and with a greater understanding of the cyber-risks and the associated importance of these risks increases for enterprises, the concept of Cybersecurity will be considered as another source of risk, to be managed in a consistent way.

I’m in trouble. Can you help?
The final part of the report assesses the strategy of outsourcing as a potential approach to addressing cyber-incident response. 69% of participants indicated that they have a combination of both internal and external staff dealing with security incidents. While initially this number appears surprisingly high, in retrospect, given that the severity, complexity and impact of incidents vary widely, it seems reasonable that companies adopt a human resources strategy which is flexibly designed to provide a range of capabilities in order to be ready for a different  types of incidents.  This is especially relevant when considering that companies often utilise external resources to support the management of standard security incidents which allow them to focus on more strategic security issues.

Once an organisation is aware of an incident they are immediately concerned with its containment and resolution. A breach will not solve itself, or simply disappear, hence its  damaging effects continue to grow. This explains why respondents cite quality, speed and knowledge in preference to the more traditional reasons for outsourcing, which normally include cost or budgetary flexibility. We understand this important requirement and provide key performance indicators for the time taken to close an incident as part of our on-line portal for our cyberincident response services.

Telefónica is both an ISP and an IP backbone provider and we have extensive experience in managing security inside our global and national networks as this is a core requirement for our business. We can leverage that experience as well as our cloud and network assets in order to deliver comprehensive managed security services. We believe that within Cybersecurity we can provide a comprehensive and end-to-end view of the security challenges faces enterprises from the generation of threat intelligence through to incident response where our experience and our network enable us to use network-based mitigation measures.

You can now download the study conducted by the consultancy company Pierre Audoin Consultants (PAC) and supported by Telefónica:

» Download the executive summary of the “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.

» Download the full study “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.

Luis Francisco González
Twitter: @lfghz

"Alarmware" in Google Play: will not stop an alarm until you install another malicious app

Friday, June 12, 2015

In ElevenPaths, we have spotted a few samples of downloaders in Google Play that work in a very special way. The app hides its icon and installs a service that will download another application from a server. We have seen this before... but the interesting part is that, to make sure the downloaded app is installed, it will start a kind of alarm that will start every few seconds until this new package from outside Google Play is indeed installed.

One of the offensive apps

We have found several alive samples of a new variant of a downloader known as "Stew.B" that we covered a few months ago. But this time they work in a different way, even more annoyingly. They maybe should be called, "alarmware".

How it works

The apps are supposed to be Minecraft or Clash of Clans guides. Even pizza recipes or weigh loss advice. The analyzed app shows some ads and then it just removes the icon from the desktop, so the user is not able to launch it again. Although, in the background, the app installs a service that will launch itself on every reboot.

Part of the configuration of the service
This service is ready to respond to two events, when the screen locks and unlocks and when an app is installed or uninstalled. The service has a random function to calculate how many hours or minutes to wait since the first application has been installed until it visits again the attacker's server and gets some instructions. Between them, the URL pointing at a package to be downloaded that could be literally, anything.

The program requests which new app to download and what message to show

Then this fresh downloaded APK starts and... it will really try hard to be installed. Even if you do not have your phone configured to install from outside Google Play.

Basic scheme of the malware program
Many of the devices will maybe have the security measure enabled: "do not install APKs from untrusted sources" (outside Google Play). So the just downloaded attacker's program will not be able to be installed and one of these screens will appear again and again.

APKs from outside Google Play are not allowed, 
and the telephone is not configured to use VerifyApps by default

And, showing these screens again and again, the user experience with the telephone will become quite annoying. Using a trick with a toast component (a special notification text that appears when you are connected to a new Wi-Fi or any other important system message) it will start popping again and again a message and a very annoying sound. Even vibrating. If you cancel or go back, it will start again (sound and message) trying to convince you it is a Google Service update or something like that. This will happen every few seconds. If the user does allow to install APKs from outside Google Play, or it finally configures it because he can not stand the sound anymore, this screen will appear.

Just before installing the downloaded APK 

The installation toast message and alert will keep on appearing and beeping again and again. Even if the device is silenced. The shown text will be in the browser language (it was taken from the attacker's server).  It will be very difficult to use the telephone normally anymore, unless you uninstall the original app (if you can in such a short time with the annoying screen request and sounds). It will continue annoying the user until the downloaded app is installed or the original app from Google Play uninstalled.

If the user finally installs it, the alarm will stop, and there will be "two" Google Service programs... who will dare to uninstall any of them?

One of the Service Google Play is fake

Funny enough, the application installed (the fake Google Service program) is just again the same code as the original one, which is weird. It is supposed the attacker is testing, but this could change in any minute. This attacker is from Russia, and used a similar technique back in March, but Google removed them.

Some apps of the same kind were removed back in March
A few weeks ago, the attacker got to upload some other apps again. Some of them are still online. These are the ones we found thanks to Tacyt, as we have done before with JSDialers, JSSMSers, Clickers, Shuabang, etc.

  • Guide minecraft game, com.appalexk.mcs, 965559baa77650d9c6249626d33ad14c5210c272
  • Guide Minecraft Free, com.appalexk.aam, bde1502855e2d9912937906c1d85bec24b3b6246
  • Guide for Clash of Clans, com.appalexk.cofc, 30c4db4033478007a1bdc86a40e37b5cd4053633
  • Recipes Pizza,, a84197a150285f04aee1096e96374255ccf5c2aa
  • Гайд для Earn to Die, com.appalexk.dde
The APK downloaded from the server is (right now): a2123233d8d972b68c721c01c6ad1785d8189fb9

Sergio de los Santos

Juan Manuel Tirado