National Retail Chain Point-of-Sale Breach
Home / About Maryman / Case Studies / National Retail Chain Point-of-Sale Breach
CASE STUDY
Point-of-Sale Breach at a Major National Retail Chain
Tags
Credit card theft, point-of-sale, retail, breach, compromise, incident response, computer forensics, digital forensics, incident management, forensics expert
Background
The CIO of a national retail chain contacted their attorney, who requested that Maryman assist with an investigation. The company was alerted by their internet service provider (ISP) that several of their systems were sending spam emails. The company’s internal review determined that all the identified systems were retail point-of-sale (POS) systems. Sending emails was not a part of the retail POS system roles, and Maryman was asked to investigate the root cause of the spam emails.
Scope
Preservation
The Maryman team went onsite to each of the locations to determine the exact type of system that was running the POS system. Luckily, the systems were all commercial off-the-shelf (COTS) parts that were configured together to run the POS software on a Windows platform. The systems were managed by the POS vendor, including antivirus, anti-malware, host firewall, and updates.
Due to the sensitivity of the environment and the nature of the information, the Maryman team also collected an extended period of network logs to aid in the investigation.
Analysis and Findings
The analysis quickly determined that there was a systemic problem that went beyond just spam email. Over a dozen unique pieces of malware were discovered, ranging from backdoor capability, credit card skimming, spam relays, and full rootkits. Further, there were indications that network traffic was destined to many countries in Eastern Europe, the Middle East, Africa, and Asia.
The POS vendor, per their contract, was supposed to be patching and maintaining the retailer’s systems. However, the Maryman team found that the latest update was run 18 months prior and the most recent malware definitions were retrieved 24 months prior. When confronted, the vendor replied, “Any system updates could have caused problems with the POS software, so we decided not to install the updates.”
Additionally, in testing, it was discovered that the anti-malware software chosen by the POS vendor was subpar. Even with the most recent definitions, the anti-malware software would not have detected half of the malware discovered by the Maryman team on the infected systems.