Avanti Markets is warning users of its self-service kiosk vending machines that malware-wielding attackers infected approximately 1,900 of its machines and appear to have stolen payment card users' names and card numbers, and users' email addresses, among other sensitive information.
But the company has revised its initial warning that biometric data may also have been intercepted, saying that all such data remained encrypted and was not stolen (see Stolen OPM Fingerprints: What's the Risk?).
According to a security firm that detected related data exfiltration by the malware on July 4, it appears that a version of point-of-sale malware called Poseidon was used in the attack.
Avanti Markets on Friday issued a data incident notification, saying that on July 4, it discovered that attackers had employed "sophisticated malware" to steal some payment card users' first and last names, credit or debit card numbers and card expiration dates. "In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk's biometric verification functionality."
The company, which markets itself as a "micro market provider," aims its kiosks at corporate lunch areas and "break rooms." Its Market Card as well as an accompanying app - for iPhone and Android devices - enables users to load cash, or funds via payment cards, onto a dedicated card.
No Biometric Data Compromised
On Monday, Avanti Markets released a new data incident FAQ, reporting that anyone who used kiosks' optional biometric features did not have their biometric data compromised. "We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted."
According to the firm's website, its devices are used by 1.6 million customers in 46 states, who collectively purchase 200 million products per year. The company, based in Tukwila, Washington, was founded in 2009 as Evergreen Vending.
But not all kiosks were affected by the malware outbreak, which it believes ran for three days, in part because different machines run different code. "At this stage, we have determined the attack was not successful on all kiosks and many kiosks have not been adversely affected at all," the company reported Monday. "We believe approximately 1,900 kiosks have been affected, a fraction of the total kiosks in use."
The company believes the malware infection lasted for three days. "Based on our investigation at this time, it appears this malware was only active beginning on July 2," the company says in its breach FAQ. "Accordingly, if you did not utilize a kiosk between [July 2 and July 4], you were likely not affected by this attack."
Avanti Markets says it immediately launched an investigation into the breach after it was detected, brought in a third-party incident response firm and notified the FBI. It says that it has been "working nonstop to address this incident," and that its incident-response team appears to have eradicated the malware from all affected kiosks on July 4, within hours of learning of the breach, and that it has not seen any successful data-exfiltration efforts since.
The company is still trying to understand how the attack unfolded. "We believe that sometime shortly before July 4, 2017, the workstation of one of [a] third party vendor's employees became infected with a sophisticated and malicious malware attack, although our investigation has not enabled us to determine the precise nature of the attack," according to the company's FAQ.
Reached for comment, an Avanti Markets spokesman declined to detail how it first learned of the breach or how many individuals or payment cards were affected, saying its investigation remains ongoing.
But the company has promised to continue publishing details relating to the breach as its investigation continues. The company says it will also offer prepaid credit monitoring services to all affected individuals and set up a call center for victims. The company is notifying some breach victims via email, but says those emails will not include any links, nor should users click on any links in emails that purport to be from Avanti Markets (see Data Breach Notifications: What's Optimal Timing?).
The kiosk provider says that it will never attempt to contact customers via phone, and says any such efforts should be treated as scams.
End-to-End Crypto Rollout
The firm says about half of its kiosks were transmitting sensitive information as plaintext. "In May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks," according to the company's data breach FAQ. "At the time of the incident, the solution had been installed in more than 50 percent of kiosks. This solution would eliminate the storage of payment card data on the kiosks."
It's not clear, however, if that move would outright block attackers' use of memory-scraping malware to intercept payment card data.
News of the breach was first reported by cybersecurity blogger Brian Krebs.
Cybersecurity Firm Detected Attack
It appears likely that Avanti Markets first learned about the attack via cybersecurity firm RiskAnalytics, based in Leawood, Kansas.
Noah Dunker, director of the RiskAnalytics security labs, says in a blog post that his company "identified a break room vending kiosk at a customer's office that had been infected with a point-of-sale malware family that's been called PoSeidon and FindPOS by various vendors since its initial discovery in 2015."
Writing about the malware in 2015, Cisco Talos said Poseidon was designed to be "quick and evasive" and includes a keylogger that scrapes POS device memory, watching for payment card data, which it then intercepts.
Dunker confirmed to Krebs that the attack it saw involved an Avanti Markets kiosk. Dunker says the malware not only matched Poseidon, but was using an SSL certificate that according to the Abuse.ch SSL Blacklist has long been used for other malware, including 2015 TorrentLocker ransomware attacks.
The malware appeared to be distributed to kiosks via a software update issued by Avanti Markets, Dunker says in his blog post. "The kiosks and the break room supplies (such as drinks, candy, chips and other snacks) are often installed and maintained by local Value-Added-Resellers," he says. "In our analysis of the incident, it seems most likely that the larger vendor [Avanti Markets] was compromised, and some or all of the kiosks maintained by local vendors were impacted."
Dunker says his firm was still trying to notify "at least two smaller vendors with local operations that have been impacted in two different cities" but says names are being withheld until it's able to do so.
Avanti Markets appeared to time the release of its data breach notification to occur on a Friday in an attempt to minimize news coverage and capitalize on the fact that fewer people may be following news outlets on Saturday. Many businesses as well as politicians have long pursued this strategy (see Chipotle: Hackers Dined Out on Most Restaurants).
'Sophisticated Malware' Blamed
Avanti Markets is the latest organization to claim not just that it was attacked with malware, but sophisticated attack code. Kmart, for example, recently claimed that its point-of-sale systems were infected with malware that "was undetectable by current anti-virus systems and application controls" (see Kmart Confirms Breach at Unspecified Number of Stores).
In general, however, security experts say that POS malware - including Poseidon - is relatively simple, and that too many organizations fail to change default passwords on devices or to ensure the devices only run on segmented networks (see Why POS Malware Still Works).
According to Dunker's analysis of the Avanti Markets outbreak, for example, the malicious traffic being sent by Poseidon-infected kiosks "matched the format identified by Cisco" in its analysis of 2015-era Poseidon malware.