It was announced this week by McAfee that a new threat to merchants has been discovered called vSkimmer. This is a very insidious threat as most merchants will likely not know they have been infected until it is too late.
The net of vSkimmer is that it is malware of the highest order built for the explicit purpose of collecting track 2 data from Windows point of sale (POS) systems. Worse yet, whoever wrote this little gem of software intends to enhance it in 2013 to include the ability to skim EMV cards’ “track” data as well.
vSkimmer can be deployed like Stuxnet through a USB thumb drive, as malware in an email message or on a Web site or any number of ways. When installed, vSkimmer determines the operating system and version, hostname, active username and various other operational characteristics of the POS system. It then inventories running tasks and memory to determine where track 2 data is stored and begins recording that data.
vSkimmer works whether the POS system is connected to the Internet or not. When the POS is connected to the Internet, it transmits the data obtained to a control server using HTTP. When the POS is not connected to the Internet, the information is stored until someone connects a USB device labeled ‘KARTOXA007’ and copies all the information it obtained onto the USB device.
As usual, the Internet is abuzz regarding how this will be addressed by the PCI DSS. Sorry to disappoint, but it is already addressed. Here are some key requirements in the PCI DSS that should mitigate vSkimmer.
- Requirement 1.2.1.a requires that only that network traffic that is necessary is allowed through the firewall. Merchants should be only allowing connectivity from the POS or card terminal to their processor and nowhere else. Any traffic attempting to go anywhere else should be flagged and IT alerted to investigate.
- Requirement 5.1 requires that you have anti-virus and anti-malware software installed on POS devices. Given this is a Windows specific threat and Windows is highly susceptible to being infected, you should have done this already. While anti-virus solutions are not perfect in always identifying such malware, since McAfee and other anti-virus solution vendors are the ones that found vSkimmer, I would imagine that they all have or will very soon have signatures for vSkimmer.
- Requirement 6.1 requires that systems are patched current. The problem with patching POS systems is that a lot of vendors issue POS updates for the OS and their application on a quarterly or even annual basis and do not recommend that merchants patch their POS systems directly from Microsoft because of compatibility issues.
- Requirement 10.2 which requires the logging of events. In the case of a USB device being plugged into the POS system, at a minimum you should see that the portable device enumerator service going active when a USB device is plugged in and if the device is new, you should see system event log entries regarding the loading of device drivers to support the USB device. None of these actions should be seen in your log data, so if you monitor for these events, you will know that USB devices are potentially being plugged into your POS systems.
- Requirement 10.5.5 requires the use of file integrity monitoring which would catch the installation of vSkimmer as a foreign piece of software even though it masks itself as ‘svchost.exe’. This would provide a backup control for requirement 5.1 if vSkimmer changes its approach as to its file name and is not caught by the anti-virus solution.
In addition to the PCI requirements, you can do the following to increase your security in regards to vSkimmer.
- Do not allow USB devices to be connected to your POS systems. Most card terminals are RS232 devices, but USB is becoming more common. The Windows Group Policy function can be used to disable USB ports on Windows systems. There are also third party solutions that will disable USB ports. A lot of these third party solutions can offer additional granularity in what types of USB devices can be connected. This can be very advantageous when you are using USB card terminals which still need to connect, but other USB devices should not be allowed. One of my more imaginative clients hot glues the ports shut on their POS systems.
- Train your staff on the vSkimmer threat. Explain how it works and what they can do to minimize this threat such as not allowing anyone to manipulate the POS systems other than employees responsible for the care and maintenance of the systems.
- Lock your POS systems in a sealed cabinet or cage and only allow the manager on duty to have the key. This may also involve additional security on POS servers if those are also used by your POS solution.
- Periodically review video of your POS stations to determine if cashiers or other personnel appear to be manipulating the POS system.
If you adopt all of these measures, you will significantly reduce the threat presented by vSkimmer and will likely never encounter it.