Malicious Malware Could Grab Your Christmas Cash

by Paul Whytock
Dec 16, 2014

Retail point-of-sale terminals are under increasing attack from malware that can read credit- and bank-card information.

One of the most financially successful and prevalent cyber crimes involves the hacking of retail point-of-sale (PoS). It thus requires systems as well as major stores and retail outlets to shore up their defenses against such attacks to maintain customer confidence. For instance, malware can worm its way into Track 1 and 2 data held in the magnetic strip on credit cards. So what are the most dangerous PoS hacking systems? Brandon Tansey, security researcher at Lancope, lists these top ten bad boys:

rdasrv

This PoS malware searches for Track 1 and 2 data in specific, hardcoded PoS process names. It cannot exfiltrate data automatically—it only writes information to disk.

Alina
Another Track 1 and 2 infiltrator, it doesn’t have a specific list of target processes. Alina skips through memory for programs that may have large amounts of memory and a low chance of containing card information, like web browsers. It’s able to automatically exfiltrate information over the network.

VSkimmer

This malware is distributed as a customizable kit. That means those who purchase it can automatically generate malware using their own configuration options. These generated samples, which search for Track 2 data, use a process blacklist containing the names of certain windows processes unlikely to contain credit-card information. It’s also has the ability to download and execute other applications at the command of its controller. VSkimmer supports automatic exfiltration over the network and can dump stored credit-card information to a thumb drive with a pre-determined name.

 Dexter
In addition to simply looking for Track 1 and 2 credit-card information, Dexter has a key-logging component to capture keystrokes and other input. It maintains a process blacklist similar to VSkimmer. Furthermore, Dexter can automatically exfiltrate data over the network, and receive commands to download and execute other files or remove itself.

BlackPOS
Some versions of this aptly named malware are capable of exploiting user-input search criteria, which makes the malware easy to repurpose. BlackPOS has also been spotted attempting to brute-force RDP logins of other hosts. It can perform multiple types of network-based exfiltration, including email and ftp sites. Because the source code of BlackPOS was leaked, anyone who obtains the code can modify/recreate it.

Decebal
This malware searches for credit-card information. It attempts to avoid analysis environments like sandboxes and debuggers. Decebal can use the network for exfiltration, where it also exfiltrates the names of installed anti-virus products to its controllers. It’s been observed being distributed via drive-by-download. Like BlackPOS, Decebal source code was leaked.

JackPOS
JackPOS is PoS malware that searches for both Track 1 and 2 information. Like other families, JackPOS also maintains a blacklist of process names and exfiltrates data over the network.

Soraya
On top of searching non-blacklisted process memory for credit-card information, Soraya injects itself into processes to capture data transmitted in Web requests. It exfiltrates captured credit-card information as well as Web requests over the network. Soraya uses packing to obfuscate its executable file, making analysis more difficult.

ChewBacca
This PoS malware family is notable for its use of Tor hidden services to exfiltrate data. In addition to searching for Track 1 and 2 data, ChewBacca has a key-logging component.

BrutPOS
As the name implies, this malware uses brute-force attacks to compromise additional systems. It targets known PoS software process names for scanning.

Backoff
Backoff hunts for Track 1 and 2 data by scanning the memory of processes that are not blacklisted. Like Soraya, it uses custom obfuscation in an attempt to make analysis more difficult. Furthermore, it’s capable of downloading and executing additional files. Like BlackPOS and BrutPOS, distribution of Backoff has been observed, typically by exposed PoS systems with weak RDP credentials.

In addition to those hacks, another recently announced cyber threat promises to be even more insidious—it can attack a wide variety of mobile networks. Called “Inceptions,” it not only infiltrates your smartphone, but it has the ability to stay hidden and hide its origins path.

So, given the prevalence of malware bombs that could seriously damage your credit card, it may be prudent to consider cash purchases to make sure Santa's deliveries make it down the family chimney this Christmas.

 

Discuss this Blog Entry 2

on Oct 21, 2015

It would be interesting to know what has happened since last year

on Jan 21, 2017

I am really impressed by the way in which you presented the content and also the structure of the post. Hope you can gave us more posts like this and i really appreciate your hardwork.

Please log in or register to post comments.