Payment Cards, Names and Biometric Data Compromised by Old-School POS Malware
Avanti Markets is warning users of its self-service kiosk vending machines that malware-wielding attackers infected an unspecified number of machines and appear to have stolen payment card data and biometric information, among other sensitive information.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
According to a security firm that detected related data exfiltration by the malware on July 4, it appears that a version of point-of-sale malware called Poseidon was used in the attack.
Avanti Markets on Friday issued a data incident notification, saying that on July 4, it discovered that attackers had employed “sophisticated malware” to steal some payment card users’ first and last names, credit or debit card numbers and card expiration dates. “In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.”
The company, which markets itself as a “micro market provider,” aims its kiosks at corporate lunch areas and “break rooms.” Its Market Card as well as an accompanying app – for iPhone and Android devices – enables users to load cash, or funds via payment cards, onto a dedicated card.
According to the firm’s website, its devices are used by 1.6 million customers in 46 states, who collectively purchase 200 million products per year. The company, based in Tukwila, Washington, was founded in 2009 as Evergreen Vending.
But not all kiosks were affected by the malware outbreak, the company says, noting that different models run different software.
Avanti Markets says it immediately launched an investigation into the breach after it was detected, brought in a third-party incident response firm and notified the FBI. It says that remediation remains underway and that the malware outbreak has not yet been eradicated.
“We have shut down payment processing at some locations and are working with our operators to purge impacted systems of any malware from the attack and take steps to substantially minimize the risk of a data compromise in the future,” it says. The company has also promised to publish more extensive details as soon as possible, offer prepaid credit monitoring services to all affected individuals and set up a call center for victims (see Data Breach Notifications: What’s Optimal Timing?).
The company says that it does not yet know how the breach occurred. Information Security Media Group could not immediately reach the company for further details, including how many individuals may have been affected by the breach or payment cards compromised or how it discovered the attack. It’s also not clear what risk users might face if their biometric details were compromised (see Stolen OPM Fingerprints: What’s the Risk?).
The firm says many of its kiosks were transmitting sensitive information as plaintext.
“We are in the middle of implementing an end-to-end encryption solution for all of our kiosks, and are working on expediting that implementation,” the company’s breach notification says. “Theft of data and similar incidents are difficult to prevent in all instances, however, we will be reviewing our systems and making improvements where we can to minimize the chances of this happening again.”
News of the breach was first reported by cybersecurity blogger Brian Krebs.
Cybersecurity Firm Detected Attack
It appears likely that Avanti Markets first learned about the attack via cybersecurity firm RiskAnalytics, based in Leawood, Kansas.
Noah Dunker, director of the RiskAnalytics security labs, says in a blog post that his company “identified a break room vending kiosk at a customer’s office that had been infected with a point-of-sale malware family that’s been called PoSeidon and FindPOS by various vendors since its initial discovery in 2015.”
Writing about the malware in 2015, Cisco Talos said Poseidon was designed to be “quick and evasive” and includes a keylogger that scrapes POS device memory, watching for payment card data, which it then intercepts.
Dunker confirmed to Krebs that the attack it saw involved an Avanti Markets kiosk. Dunker says the malware not only matched Poseidon, but was using an SSL certificate that according to the Abuse.ch SSL Blacklist has long been used for other malware, including 2015 TorrentLocker ransomware attacks.
The malware appeared to be distributed to kiosks via a software update issued by Avanti Markets, Dunker says in his blog post. “The kiosks and the break room supplies (such as drinks, candy, chips and other snacks) are often installed and maintained by local Value-Added-Resellers,” he says. “In our analysis of the incident, it seems most likely that the larger vendor [Avanti Markets] was compromised, and some or all of the kiosks maintained by local vendors were impacted.”
Dunker says his firm was still trying to notify “at least two smaller vendors with local operations that have been impacted in two different cities” but says names are being withheld until it’s able to do so.
Avanti Markets appeared to time the release of its data breach notification to occur on a Friday in an attempt to minimize news coverage and capitalize on the fact that fewer people may be following news outlets on Saturday. Many businesses as well as politicians have long pursued this strategy (see Chipotle: Hackers Dined Out on Most Restaurants).
‘Sophisticated Malware’ Blamed
Avanti Markets is the latest organization to claim not just that it was attacked with malware, but sophisticated attack code. Kmart, for example, recently claimed that its point-of-sale systems were infected with malware that “was undetectable by current anti-virus systems and application controls” (see Kmart Confirms Breach at Unspecified Number of Stores).
In general, however, security experts say that POS malware – including Poseidon – is relatively simple, and that too many organizations fail to change default passwords on devices or to ensure the devices only run on segmented networks (see Why POS Malware Still Works).
According to Dunker’s analysis of the Avanti Markets outbreak, for example, the malicious traffic being sent by Poseidon-infected kiosks “matched the format identified by Cisco” in its analysis of 2015-era Poseidon malware.