Stealing payment data and credentials is now a common goal for cybercriminals, and POS systems are their main targets. Large retail breaches recently have shown that older POS systems are not secure enough and require new, modern protection systems. A growing problem is that after breaking into a network, hackers use POS APIs and partner connections to commit fraud.
The article will explore new DNS-related methods for catching and stopping phishing attacks on POS APIs. Despite the security of the endpoints, DNS traffic can signal when fraud is being attempted. Studying DNS requests and matching them to indicators of compromise enables us to detect and stop attacks on POS systems right away.
The State of POS Security
The transition to EMV chip cards in the US has driven criminals to switch tactics from straightforward counterfeit card creation to more targeted attacks on POS endpoints. This shift has created a demand for robust security solutions, prompting many businesses to partner with a POS software development company to safeguard POS endpoints.
While major retailers have invested heavily in POS security over the past decade, many small and mid-sized merchants still operate outdated payment environments. Shred-it’s POS security study, for example, found that 87% of breaches in the hospitality industry originated at the POS.
Legacy POS hardware and software are often full of vulnerabilities that can allow attackers to gain a foothold inside merchant networks. Adversaries will then attempt to move laterally through the internal network and target POS APIs or partner connections to conduct fraudulent transactions. Such activity can continue for months without detection as criminals take pains to minimize their footprint.
Abusing POS APIs
In compromised merchant environments, attackers are increasingly abusing POS APIs and partner connections to quietly conduct fraudulent transactions. APIs allow POS systems to integrate with other applications both internally and with external partners. Common examples include:
- Order-ahead mobile apps allow customers to pre-pay for goods
- Inventory management and supply chain software
- Accounting platforms
- Loyalty and gift card programs
- Services offering analytics on customer purchase data
While these integrations provide business value, they also introduce an additional attack surface. Adversaries that have infiltrated the merchant’s network will scan and probe these APIs, looking for vulnerabilities, enabling them to hijack legitimate connections. Once connected, criminals can manipulate transactions however they please – for example, issuing themselves fraudulent refunds and discounts.
In many cases, such API abuse leaves very little evidence of compromise in the POS itself. The transactions originate from valid partner servers and appear normal at the surface level. Without robust logging and threat analytics, this attack technique can siphon huge sums over time with minimal detection risk.
Catching API Fraud with DNS Traffic Analysis
So, how can merchants detect the abuse of POS APIs by determined attackers? One advanced technique involves analyzing domain name server (DNS) traffic for signs of fraudulent domains targeting POS environments.
The DNS infrastructure underlying the internet translates human-readable domain names like “example.com” into machine-readable IP addresses. DNS servers also handle queries when a user types a domain name into a web browser.
When an attacker has compromised the POS infrastructure, they will typically need to communicate with an external server, often for command and control (C2) purposes or to send stolen data. In most enterprise environments, DNS requests get logged and are available for security review.
By analyzing this DNS traffic and cross-referencing against known malicious domains and fraud indicators, it is possible to spot signs of compromise even without visibility on the endpoints themselves. Machine learning models can automatically flag suspicious domains targeting financial services infrastructure. Security analysts can then conduct further investigation.
Compared to traditional endpoint security controls like antivirus and firewalls, DNS traffic analytics provides four key advantages for detecting advanced POS fraud:
- Real-time blocking of malicious domains. DNS-layer security platforms can automatically identify and block traffic to phishing or C2 domains as soon as they are detected. This prevents data exfiltration and stops attackers in their tracks before serious damage can occur.
- Visibility into encrypted traffic. Encryption technology like HTTPS hides the content of web traffic from security tools. Yet the domain name itself is visible in the DNS lookup stage, allowing identification of malicious sites even in encrypted sessions.
- Catch attacks using valid credentials. When attackers hijack legitimate user accounts, their activity can appear normal to endpoint security tools. Suspicious DNS requests provide vital signals that credential abuse or insider threats are at play.
- Surface blind spots across partner networks. DNS analysis provides a unified vantage point for threats across internal networks, cloud environments, and third-party connections. Security teams gain visibility that they can’t get from traditional tools.
Implementing DNS-Layer Fraud Prevention
DNS-based threat detection offers powerful advantages for spotting and stopping POS fraud. Turning these insights into security outcomes requires an integrated solution consisting of:
- A cloud-based DNS security platform providing analytics, threat intelligence, and automatic blocking of known threats
- An on-premise DNS forwarder relaying internal DNS traffic to the cloud platform for analysis
- Agent sensors installed on critical POS servers
- Centralized monitoring and investigation capabilities
The DNS forwarder provides a critical bridge between the internal network and the cloud, enabling enterprise-wide threat visibility that would be difficult to achieve otherwise. The forwarder automatically copies all DNS requests on the local network and ships them to the cloud platform. Advanced machine learning models then analyze this traffic to identify signs of compromise.
In addition, the combination of endpoint sensors and DNS analytics provides security teams with the context required to separate real threats from false positives. For example, a DNS request to a previously unknown domain might appear suspicious at first glance. Yet the endpoint sensor would indicate that the request originated from an accounting application server, considered normal business activity.
Once configured, this integrated DNS security system runs silently in the background, automatically surfacing high-fidelity threat alerts to the security operations center (SOC). The SOC can then quickly triage alerts, confirm signs of real compromise, and initiate appropriate response procedures.
By leveraging DNS telemetry, merchants can gain an invaluable extra layer of protection, countering advanced attacks on their POS infrastructure, including API fraud abuse, which evades traditional controls.
Real-World Results Blocking POS Fraud
This novel technique for detecting and preventing POS fraud has already shown dramatic results in customer deployments. For instance, an investigation by threat researchers uncovered a spate of attacks against restaurant chains in the southern US.
Actors compromised the POS networks via phishing emails and began abusing loyalty program APIs to generate fraudulent discounts and steal customer data. The DNS security platform detected the attacker’s domains within minutes and automatically blocked further communication. This allowed the merchant IT team to remediate the infection before any material damage was done.
In another case, a DNS security solution identified C2 traffic from a POS environment to a domain registered that same day – a key indicator of compromise. Within an hour of this detection, the customer was able to isolate the infected points of sale and remove the attackers’ foothold in the network.
Without the solution in place, these attack incidents could have gone unnoticed for weeks or months before detection. Quick identification and response are essential for limiting fraud, avoiding breach notification costs, and minimizing reputational damage.
Key Takeaways
As cybercriminals continue innovating their monetization of compromised POS infrastructure, merchants need visibility and control beyond the endpoint level. DNS traffic analytics provides an invaluable source of threat intelligence that complements traditional POS security tools.
Key recommendations for merchants include:
- Make sure to gather and analyze DNS requests that come from the POS systems of your business.
- Compare DNS domains to threats that are already known to detect compromises.
- Set your DNS to block any domain that is confirmed to be malicious.
- Collect DNS data from both your own and third-party systems into one analytics system.
- Use information taken at endpoints to check and confirm suspicious DNS activity.
Security teams can use the information from DNS traffic to find and stop POS API fraud at the moment it happens. As time goes on, machine learning algorithms will continue to improve at detecting new ways that cyber attacks appear.
Because criminals are now using patient and under-the-radar methods to attack POS systems, merchants need tools that can spot more indicators of any compromise. DNS-based threat detection should be a central part of how you prevent POS fraud. If you combine these techniques with improved security at endpoints and better employee training, you can keep payment environments safe all the time.
