Just in time for holiday shopping, the forensics team at SecurityMetrics has discovered a new keylogger that is being used to pilfer cardholder information. The new hacking tool – Logixoft’s Revealer Keylogger – isn’t yet being flagged as malware by most antivirus products, so even merchants with up-to-date antivirus protection might get burned. Here’s the story.
Revealer works like the Blazing Tools Perfect Keylogger that has been used by hackers for the past couple of years. If a hacker is able to bypass a business’ access controls, he (or she) can install Revealer on the card terminal’s payment application. Revealer captures the card data as it is entered into the terminal either by swiping the card or manual keypunching. Then the stolen card data is emailed or FTP’ed out of the system. Suddenly you’ve got a data breach.
We have also recently seen hackers installing multiple versions or copies of keyloggers like Revealer in different locations on the merchant’s system and under a variety of file names. They are apparently doing this in an attempt to avoid detection, thinking or hoping that not all of their malware iterations will be found and removed.
Initially, AV products ignored the Blazing Tools keylogger because it’s a commercial product that is advertised as a way to monitor employee or child activities. Now most AV products identify that keylogger as possible malware, but to date we know of only one AV vendor that has put Revealer on their watchlist. We are informing all of the major antivirus vendors about the problem, so hopefully that will change soon.
Meanwhile, the best defense against Revealer is to keep hackers out of your system in the first place, using the same access control measures required to conform to the Payment Card Industry Data Security Standard (PCI DSS). Harden your system to prevent unauthorized remote users. Use complex passwords with alphanumeric and special characters. Be sure to change the default password that comes with your payment software. Avoid an always-on VPN connection if you can, and ensure that all remote access requires two-factor authentication.
Also, on the outbound side, use defense mechanisms to prevent hackers from exporting harvested data via FTP or a covert SMTP server. To avoid this, segment your firewall so that payment and business applications aren’t on the same partition. Then filter all of your outbound Internet traffic so that data from your payment application can only go to your processor or other trusted sources. Since processors no longer require an FTP option, disallow FTP traffic for your payment application. And so on.
Keyloggers are particularly lethal, and external vulnerability scans don’t usually pick them up. It’s just the nature of the beast. But following standard procedures for protecting your card data can help hold the fort against Revealer and any other new keystroke recorder that comes along. You don’t leave your office door unlocked. The same caution should apply to your payment systems.
Posted on December 22, 2009 by Dave Ellis, Director of Forensics
Revealer works like the Blazing Tools Perfect Keylogger that has been used by hackers for the past couple of years. If a hacker is able to bypass a business’ access controls, he (or she) can install Revealer on the card terminal’s payment application. Revealer captures the card data as it is entered into the terminal either by swiping the card or manual keypunching. Then the stolen card data is emailed or FTP’ed out of the system. Suddenly you’ve got a data breach.
We have also recently seen hackers installing multiple versions or copies of keyloggers like Revealer in different locations on the merchant’s system and under a variety of file names. They are apparently doing this in an attempt to avoid detection, thinking or hoping that not all of their malware iterations will be found and removed.
Initially, AV products ignored the Blazing Tools keylogger because it’s a commercial product that is advertised as a way to monitor employee or child activities. Now most AV products identify that keylogger as possible malware, but to date we know of only one AV vendor that has put Revealer on their watchlist. We are informing all of the major antivirus vendors about the problem, so hopefully that will change soon.
Meanwhile, the best defense against Revealer is to keep hackers out of your system in the first place, using the same access control measures required to conform to the Payment Card Industry Data Security Standard (PCI DSS). Harden your system to prevent unauthorized remote users. Use complex passwords with alphanumeric and special characters. Be sure to change the default password that comes with your payment software. Avoid an always-on VPN connection if you can, and ensure that all remote access requires two-factor authentication.
Also, on the outbound side, use defense mechanisms to prevent hackers from exporting harvested data via FTP or a covert SMTP server. To avoid this, segment your firewall so that payment and business applications aren’t on the same partition. Then filter all of your outbound Internet traffic so that data from your payment application can only go to your processor or other trusted sources. Since processors no longer require an FTP option, disallow FTP traffic for your payment application. And so on.
Keyloggers are particularly lethal, and external vulnerability scans don’t usually pick them up. It’s just the nature of the beast. But following standard procedures for protecting your card data can help hold the fort against Revealer and any other new keystroke recorder that comes along. You don’t leave your office door unlocked. The same caution should apply to your payment systems.
Posted on December 22, 2009 by Dave Ellis, Director of Forensics