Card present breaches involving POS compromises or gas-pump skimmers continue to decline. Attacks against e-commerce payment applications are satisfying the financial motives of the threat actors targeting this industry.
234 incidents, 139 with confirmed data disclosure
Top 3 patterns
Web Applications, Privilege Misuse, and Miscellaneous Errors
represent 81% of breaches
External (81%), Internal (19%) (breaches)
Financial (97%), Fun (2%), Espionage (2%) (breaches)
Payment (64%), Credentials (20%), Personal (16%) (breaches)
Not such a POS anymore
Let’s jump in our DBIR time machine and travel all the way back to four years ago. It was the second year that we featured the incident classification patterns and the top pattern for Retail was POS Intrusion, along with remote compromise of point of sale environments, with all of the malware and payment card exfiltration that comes with it. Coming back to the present year’s data set in Figure 63, the times they are a-changing.
- 2019 DBIR
- A couple of tidbits
- Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
Essentially, Web application attacks have punched the time clock and relieved POS Intrusion of their duties. This is not just a retail-specific phenomenon – Figure 64 comes courtesy of our friends at the National Cyber-Forensics and Training Alliance (NCFTA) and their tracking of card-present versus card-not-present fraud independent of victim industry.
The above shift certainly supports the reduction in POS breaches, and to a lesser extent, Payment Card Skimming. Pay at the pump terminals at gas stations would fall into the retail industry as well. We are cautiously optimistic that EMV has diminished the value proposition of card-present fraud for the cyber-criminals in our midst. Alas, it will still not make criminal elements eschew money and move to self-sustaining communes to lead simpler lives.
One door closes, kick in another one
Attacks against e-commerce web applications continue their renaissance. This is shown in Figure 64 above as well as Figure 26 back in the Results and Analysis section. To find out more about what tactics are used in attacks against payment applications we will go back to pairings of threat actions and affected assets.
The general modus operandi can be gleaned from Table 8 below. Attacker compromises a web application, and installs code into the payment application that will capture customer payment card details as they complete their purchases. Some breaches had details that specified a form-grabber which would be categorized under Spyware/Keylogger as it is another method of user input capture. Other times limited information was provided other than a statement similar to “malicious code that harvested payment card data.” The more general functionality of capture app data was used in those instances. In reality there is likely little to no difference between the two pairings. We are also a little short on information on how the web application was compromised. If a specific method like RFI is noted, we collect it. Often it may be a general notation that a web vuln was exploited, hence the Exploit Vuln variety (new to the latest version of VERIS!). Looking at what we do know and channeling our inner William of Ockham, this general chain of events is likely: scan for specific web application vulnerabilities > exploit and gain access > drop malware > harvest payment card data > profit. We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.
Things to consider
Integrity is integral
The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms. Widespread implementation of file integrity software may not be a feasible undertaking. Adding this to your malware defenses on payment sites should be considered. This is, of course, in addition to patching OS, and payment application code.
Brick and Mort(ar)y
Continue to embrace technologies that make it harder for criminals to turn your POS terminals into machines of unspeakable doom. EMV, mobile wallets – any method that utilizes a one-time trans-action code as opposed to PAN is a good thing.
Not just PCI
Payment cards are not the only data variety that would be useful to the criminally-minded community. Rewards programs that can be leveraged for the "points" or for the personal information of your customer base are also potential targets.