The retail industry suffers from pervasive web application weaknesses from legacy software systems which are soft targets for attackers once inside a company’s network. Also, the most sophisticated point-of-sale malware ever seen to date is now lurking in retailers systems waiting to launch.
A new report from SecurityScorecard finds there were no e-commerce retailers that were exempt from web application issues. Also, many retailers that our researchers analyzed found companies need to improve the security of servers by hardening their configurations. In the recent past, hackers have found entry points via third party vendors and partners. The target? Customer credit card and other personally identifying information (Social Security Numbers, home addresses, email addresses, phone numbers, etc.) attackers use for fraud and identity theft.
• Top retailers are faring well in network security, the frequency of patching, and the lack of exposure of employee passwords on the hacker underground.
• Companies that rank at the top also have lower malware infection rates.
• A few of the top retailers include name brands in clothing (Guess), fast food (Quiznos), and sporting goods (Dick’s Sporting Goods). More of the top performing retail companies can be
• Three-fourths (74%) of retailers that rank in the bottom 10% struggle with keeping their employee passwords secure.
• Nearly 40% of bottom ranking retailers are not patching their systems in a timely fashion.
• Bottom performers ranked very poorly for malware infection rates in the middle of summer in July, but gradually improved their standing in October.
Meanwhile, iSIGHT Partners is sharing details about a highly sophisticated criminal malware framework that has been used to target point-of-sale (POS) systems at US-based retailers. It is very hard to detect malware is likely being used in broader campaigns and are disclosing details to help retailers and other organizations with POS and other payment processing systems hunt for and eradicate the malware.
The threat intelligence experts at iSIGHT Partners have analyzed the most sophisticated point-of-sale (POS) malware we have seen to date. ModPOS, which is short for modular point-of-sale (POS) system, is a comprehensive malware framework. The actors behind the ModPOS software have exhibited a very professional level of software development proficiency, creating a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence. Thus, ModPOS can go undetected by numerous types of modern security defenses.
ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, key-logger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. iSIGHT believes other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.
iSIGHT Partners says it knows US retailers have been targeted and believe it is very likely that criminal actors are seeking to compromise additional victims beyond those identified. iSIGHT has observed a small element of the ModPOS framework as far back as 2012, with known activity in late 2013 and active targeting of US retailers through 2014. Given its sophistication, it has taken malware analysis ninjas a substantial amount of time to reverse engineer the software.
For data, background and forecasts on eSecurity & Malware: Search CardWeb.com’s CardFlash® Library of more than 58,000 archived articles; Access CardWeb.com’s CardData® for current and historical Performance, Portfolios, Profiles, etc. Visit RAM Research® (ramresearch.com) for quarterly and annual forecasts covering more than 150 metrics. [complimentary or deeply discounted access to CardWeb.com subscribers].
Additional database resources include CardWeb.com’s CardExecs® – comings & goings of payments movers & shakers; CardWeb.com’s CardWatch® – ears & eyes on marketing globally (57K items); and CardWeb.com’s CardPixes® – form & function of card design (7K items).