The Case of the Mistaken Malware

Forensic Files SeriesThe Case of the Mistaken Malware

Business backgroundSmall retailer operates one main store, multiple satellite stores, and two corporate offices.

All sites connected to the same card processing environment.

Business background

During a routine anti-virus log review, in-house IT staff member finds Sirefef rootkit at satellite store.

What is a rootkit?A rootkit is a type of malicious software activated each time a system boots up.

They are difficult to detect because they reside at the system’s kernel level, and are activated before a system’s operating system has completely booted up.

How hackers got inCompromised the credentials for the remote access application, LogMeIn.

Installed Sirefef, a sophisticated rootkit that can spread spam or capture sensitive information such as passwords or credit card data.

Forensic investigator findingsInvestigator finds the Sirefef rootkit did not actually steal customer credit cards.

Further investigation revealed a memory scraper called Alina (installed by the same hacker), designed specifically to capture payment information from POS terminals.

What is a memory scraper?A memory scraper is designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker.

The Alina memory scraper can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.

What the business did wrong

Retailer didn’t employ two-factor authentication to secure remote access into their main store, satellites, and corporate offices.

What’s 2-factor authentication?

Two factor authentication is an extra layer of security that requires not only a password and username but also something only the user should know/have (e.g., a fingerprint).

What the business did wrong

Although they regularly reviewed anti-virus logs, IT staff did not regularly update anti-virus program and system security patches.

What the business did wrong

In addition, the credit card processing environment was not segmented away from routine Internet traffic.

SecurityMetricsWe Protect Business

ServicesPCI, HIPAA, & data security solutions for businesses of all sizes

QualificationsGlobal provider of ASV, QSA, PFI, PA QSA, P2PE services

ExperienceAssisted over 1 million organizations with compliance needs