Don\u2019t think for an instant that once POS malware is defeated the first time, it\u2019s gone for good. These attacks have a habit of resurrecting themselves, with a lot of help from criminal hackers.\u201cThe U.S. Secret Service and Trustwave researchers identified, analyzed, and named the Backoff POS malware, which has affected at least 1K businesses across the country,\u201d says Karl Sigler, Threat Intelligence Manager, Trustwave. But while the security world is buzzing about Backoff POS and the BlackPOS malware that infiltrated Target last year, other POS malware is afoot, evolving, and potentially surging and resurging at any time.\u201cWith each POS malware success\u2014in terms of media coverage and organizational disruption\u2014it\u2019s also likely that attackers are contemplating even more aggressive methods of accessing valuable data,\u201d says Gregg Aamoth, Co-Founder, POPcodes and former vice president and privacy officer, Macy\u2019s, Inc.With that, CSO opens a sort of \u201cPandora\u2019s Box\u201d of POS malware strains including Dexter, Alina, vSkimmer, TriForce, and OG, examining their ilk, ebb, and flow, and outlining the solution to POS malware attacks.Old POS malware could be new againPOS malware strains such as Dexter, Alina, and vSkimmer have been the focus of security experts since prior Backoff POS, says Aamoth. Dexter infiltrated systems with stealth, stole process lists, and sorted through memory dumps to acquire payment card data. It further leveraged a command and control server. \u201cDexter was also the first POS malware family to add a keylogger to its toolset,\u201d says Aamoth.Once security professionals logged Dexter\u2019s behaviors and revealed its server domains, it became less effective so long as potential victims took note, plugged holes in security, and updated security technologies that use signatures to recognize known malware behaviors. But Dexter still threatens stores that do nothing and it will almost certainly evolve, successfully applying new behaviors and domains to future attacks.Alina had a number of capabilities, taking an approach similar to Dexter\u2019s. But Alina could update itself while on the infected system, making it more nimble. Though the industry has learned its behaviors, the same rules apply: it is a threat in its known form to those who do nothing, and it can evolve to envelope new behaviors, wreaking havoc again.The VSkimmer POS malware or virtual skimmer updates firewall rules and makes a number of computer system changes to hide and accommodate itself. It can copy data to a USB drive when the Internet is not available for data transfers. As with other POS malware, if the enterprise doesn\u2019t take the necessary mitigation steps, it risks suffering from the current version of this attack. And the enterprise that doesn\u2019t do enough to protect itself could remain at risk to future forms of vSkimmer.As for these warnings and premonitions, the same could be said for other POS malware including the new Soraya strain, the TOR-based Chewbacca, and Citadel. About any group with the right coding skills could grab one of these, insinuate adds and changes, and launch new attacks using new server addresses.POS Malware Going Out of StyleTriForce and OG are two POS malware strains that are growing less effective, each with good reason. \u201cWe still see TriForce. It was the third most prevalent POS malware in the past year,\u201d says Sigler. But TriForce has its weaknesses, stemming largely from a lack of funding. Funding is an issue with lesser POS malware.Third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn\u2019t demonstrate an up-front benefit.Karl Sigler, Threat Intelligence Manager, TrustwaveWhile some criminal groups can afford to outsource their code in order to get quality programmers, others cannot. The hackers who wrote TriForce POS coded it in such a way that it eats up more system resources than it should. The lower quality work demonstrates that these hackers didn\u2019t have the funding to hire skilled coders. Once the industry became familiar with TriForce and its behaviors, its odds of success diminished.OG POS is dated. \u201cThe OG POS malware family is four years old and has fallen out of fashion,\u201d says Sigler. Because they also lacked funding, the criminals who created OG POS built it using the tools that they could most easily access. Though OG suited their needs at the time, it never used encryption to conceal payment card data while they exfiltrated it. DLP programs can recognize the data leaving the enterprise. This weakness contributed to OG POS\u2019 ultimate downfall.How POS malware entersAccording to Sigler, criminal hackers are getting POS malware in by using brute force tools such as Medusa or THC-Hydra in automated attacks against the poor login credentials of the third-party vendors that support POS systems remotely. \u201cA lot of businesses buy or rent POS systems and count on those vendors for support,\u201d says Sigler. The third-party vendors connect remote desktop software such as LogMeIn, Chrome Remote Desktop, and Apple Remote Desktop to the POS systems they support. These POS system vendors often use easily guessed usernames and passwords with this software, which are the kinds of credentials that brute force tools look for.To find the remote desktop software and its login pages, hackers scan networks using free, standard OTS tools that do port scanning, looking for live IP addresses where the ports for remote desktop software are open. \u201cThey even use botnets to do the scanning for them,\u201d says Sigler.Why POS malware is effective, what to do about it\u201cThese third-party vendors are not in the security business. They want to provide service in the most cost-beneficial manner they can. Security doesn\u2019t demonstrate an up-front benefit. They can\u2019t say they saved X amount of money by using security. It takes a few successful attacks for them to learn to apply basic security,\u201d says Sigler.But any business, including third-party vendors that serve stores\u2019 POS systems can take measures to block POS malware attacks. First, they should assign strong passwords to remote access software and to PCs that house this software. By using longer, stronger passwords that are not common and that no one in the organization has previously used, companies can circumvent the password dictionaries inside brute force attack software. Employees should not document, share, or disclose any passwords. It is a good idea for these vendors to update passwords regularly. \u201cTwo-factor authentication methods increase the security of passwords that attackers can compromise,\u201d says Sigler.Third-party vendors should use only select computers set aside for technical support to connect to POS systems with remote access software. Only authorized personnel should be able to access these computers. No one should use these computers for web browsing or any purpose other than as the company intends. A good firewall should help with that.To detect POS malware, POS system vendors should monitor outbound network traffic and any traffic intended for systems outside their control, according to Sigler.