I got a Tweet from a friend today regarding this new piece of malware found out in the wild and dubbed ‘BlackPOS’. BlackPOS is very similar in nature to vSkimmer. Now before everyone goes off and panics, if you are religiously following the PCI DSS, BlackPOS should not be an issue and here is why.
- Requirement 11.5 – Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. BlackPOS does a lot of manipulation around known file names, but the hash values of those files should change from the known good values, so any file monitoring system should alert on that fact. It also uses file names that would never exist on a production system, so those should also generate an alert. In addition, BlackPOS creates a TXT file that also should generate an alert when created. However, if you are not alerting in real-time, you should be so that you pick up these issues as soon as possible. This is where the bad guys are headed with their attacks, so you may as well alert as soon as an incident occurs so that you can address it before it gets out of control.
- Requirement 1.1.5 – Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. BlackPOS uses FTP to move the TXT file from the POS system to their server. If you are allowing FTP to flow freely from your POS or cardholder data environment (CDE) to anywhere on the Internet, you were not PCI compliant in my opinion, even if you had some bizarre business justification.
- Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). While BlackPOS was only identified today, the anti-virus vendors will most likely have signatures out by the time you read this, so they will be looking for BlackPOS by the time you get your updated signatures.
Just these three requirements can stop this sort of an attack. Yet, time and again we see these attacks succeed because people are not properly implementing their file integrity and not restricting network traffic flowing out of their internal networks.
PCI compliance does work when you use it the way it was intended.