CenterPOS is a threatening POS (Point of Sale) threat that was initially discovered in September of 2015. POS threats have increased substantially all through 2015 and represent a real threat to consumers and businesses. High profile security issues with important retailers and millions of compromised credit cards have made it more important than ever that POS threats like CenterPOS are studied and prevented. Essentially, threats like CenterPOS are threatening because rather than affecting a single computer user, each infection has the potential to collect hundreds or even thousands of credit card numbers – each new customer's data may be compromised, which may be devastating during particularly busy shopping seasons.
Table of Contents
Initial CenterPOS Attacks and Sightings
In September of 2015, CenterPOS was discovered in a directory that included numerous other POS threats (which included variants of Alina, BlackPOS and NewPOSThings). CenterPOS is a memory scraper, meaning that it goes through running memory processes to extract credit card data from the infected computer's memory. Then CenterPOS relays this credit card information to its Command and Control server. Also, CenterPOS is known as Cerberus (this may be confusing because a high profile RAT (Remote Access Trojan), is also known as Cerberus). Currently, CenterPOS is in its version 2.0, with various preceding versions spotted in the wild. Recent additions to CenterPOS have tweaked the way it stores its Command and Control server information and the location of its configuration files and data. Recent versions of CenterPOS also use password protection and obfuscation techniques to prevent computer users from studying this threat.
How CenterPOS Carries out Its Attack
CenterPOS may extract credit card data in two different ways, which CenterPOS names 'smart scan' and 'normal scan.' The 'smart scan' mode is available in the version 2.0. Essentially, CenterPOS scans the affected computer's running file processes and, after discarding system processes and processes that are not related to card reading or processing software, CenterPOS will search all memory regions within the found memory processes looking for credit card data. 'Smart Scan' allows CenterPOS to 'learn,' using successes in the 'normal scan' to narrow down the scanning process, only performing searches in areas that had previous matches for credit card data. All data that CenterPOS finds is encrypted using TripleDES and an encryption key in its configuration file. CenterPOS will relay this data, as well as information about the infected computer to its Command and Control server at regular intervals. CenterPOS also receive instructions from its command and control server that range from instructions to quit or uninstall itself to more specific search and scanning options.
Protecting Computers and Preventing CenterPOS Attacks
POS threats such as CenterPOS are in high-demand among con artists due to the ease in which it can collect credit card information. CenterPOS is continuing to evolve, being improved constantly to make its attacks more devastating and difficult to recover from. To prevent these attacks, it is essential that businesses ensure that their computers are well protected and heir employees well- trained to prevent threat attacks and infection. The following are some steps that all businesses should take to minimize the risk of CenterPOS attacks and possible infections:
- POS computers should not be used for any activity except for POS transactions. The use of these computers for other activities may increase the risk of threats.
- Access to POS computers should be restricted to employees, and operators should be instructed on how to spot a possible intrusion or physical device. Control over who has access to the POS device is essential in preventing these kinds of attacks.
- Businesses should invest in strong anti-malware protection, IT support and monitoring to ensure that CenterPOS infections and similar attacks do not take place.