Criminals have developed a new family of point-of-sale malware that hides in plain sight, riding along with core processes inside Microsoft Corp.’s Windows operating system, says Chicago-based Trustwave Holdings Inc., which uncovered the malware during a recent U.S. Secret Service investigation.
Dubbed “Punkey” because of the “unkey” command within its code that is used to send the stolen data to the criminal’s command and control server, and as a play on 1980s sitcom Punky Brewster, the malware nests itself within the explorer process that is a fundamental element of Windows, Karl Sigler, Trustwave threat intelligence manager, tells Digital Transactions News. The process enables browsing of files and data on a computer.
“The malware injects itself into that large process,” Sigler says, “so it never looks like an individual piece of software running.” Once infected, Punkey begins collecting cardholder data. The malware also gathers keyboard inputs via a keylogging component, which can gather user names and passwords. Punkey can capture 200 keystrokes at a time, Trustwave says.
Not only does the malware upload stolen data, but it can download updates, making it unusual in POS malware, Trustwave says. To date, Trustwave says more than 75 Internet protocol addresses are affected by Punkey, but it does not know the number of affected businesses.
Though Sigler would not disclose more specifics about Punkey because of the ongoing investigation, in general POS systems can be infected with malware via remote access or downloading an installer file. “Lots of these remote access pieces of software have very poor credentials,” Sigler says. “Criminals are breaking these poor passwords. Once they get access they are installing their malware.”
Punkey, though it seems to be built on an existing code, has enough adaptations to warrant labeling it a new family of malware, Sigler says.
Punkey, however, gives itself away. “The programmers weren’t that savvy,” Sigler says. Trustwave engineers were able to decrypt some of the traffic the malware sent. “They did their best to hide themselves, but the programming errors they sort of accidentally exposed allowed us to get that analysis done.”
POS malware is particularly troublesome because of the wealth of sensitive data it can access and the stealth of the software.
“POS malware has really skyrocketed in the past one-and-a-half years mainly because criminals are finding money there,” Sigler says. “We have seen a spike in POS malware in general. We have also seen criminal organizations create their own POS malware families so they don't have to use something developed by others or that’s been blocked already.”
The “Verizon 2015 PCI Compliance Report,” said 2014 saw the first cross-platform malware in the wild, meaning malware no longer is just a Windows problem. Indeed, merchants appear to struggle with complying with the PCI data-security standard that mandates regular use and updating of antivirus software and malware protection. Average compliance with this piece of the standard was 92% in 2014, down from 96% in 2013, Verizon says.