BlackPOS

Last updated

BlackPOS, also known as Kaptoxa, is a point-of-sale malware program designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. BlackPOS was used in the Target Corporation data breach of 2013. [1] [2]

Contents

History

The BlackPOS program first surfaced in early 2013 [3] and affected many Australian, American, and Canadian companies using point-of-sale systems, such as Target and Neiman Marcus. The program was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'. [4] The original version of BlackPOS was sold on online black market forums by Taraspov, under the name "Dump Memory Grabber by Ree", for around $2000. [5] The name BlackPOS was found in the software's administration panel. [3]

Operation

BlackPOS infects computers running on Microsoft Windows that have credit card readers connected to them and are part of a POS system. [6] After installation, the program attaches to the pos.exe process and scans its memory for track 1 and track 2 payment card data. [7] The data is then exfiltrated via SMB to a server within the company, where another component collects it and sends it to the attacker via FTP. [7]

BlackPOS only sends stolen information during business hours, to avoid raising suspicion by generating network traffic at unusual times. [8]

Incidents

BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack was the 2013 Target security breach.

Target

During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the company became aware of the breach. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen. About 1800 U.S. Target stores were affected by the malware attack. [9]

Neiman Marcus

Neiman Marcus, another well-known retailer, was affected as well. Their POS system was said to have been infected in early July 2013 and was not fully contained until January 2014. The breach is believed to have involved 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected. [10] [11]

Other companies

Other affected companies included UPS and Home Depot. [12] [13]

See also

Related Research Articles

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Dexter is a computer virus or point of sale (PoS) malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as credit and debit card information.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Identity theft involves obtaining somebody else's identifying information and using it for a criminal purpose. Most often that purpose is to commit financial fraud, such as by obtaining loans or credits in the name of the person whose identity has been stolen. Stolen identifying information might also be used for other reasons, such as to obtain identification cards or for purposes of employment by somebody not legally authorized to work in the United States.

I Love Velvet is a global provider of hardware and software for mobile point of sale (mPOS) transactions and value-added retail services. I Love Velvet manufactures and sells merchant-operated, consumer-facing and self-service mPOS systems to the entertainment, retail, hospitality, and automotive industries.

Backoff is a kind of malware that targets point of sale (POS) systems. It is used to steal credit card data from point of sale machines at retail stores. Cybercriminals use Backoff to gather data from credit cards. It is installed via remote desktop type applications where POS systems are configured. It belongs to the POS malware family as it is known to scrape the memory of POS devices.

<span class="mw-page-title-main">Point-of-sale malware</span>

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system. It first started to scrape information in late 2012. It resembles JackPOS Malware.

FastPOS is a variant of POS malware discovered by Trend Micro researchers. The new POS malware foregrounds on how speed the credit card data is stolen and sent back to the hackers.

PunkeyPOS is a new type of Point of Sale Malware which was discovered by PandaLabs in 2016. This new Point of Sale Malware infects the Point of Sale(POS) Systems with two types of malware applications - keylogger and RAM Scraper. PunkeyPOS gets installed into the computer automatically without the knowledge of the user, in a similar manner as other POS malware.

A new sophisticated point-of-sale or memory-scraping malware called "Multigrain" was discovered on April 17, 2016 by the FireEye Inc. security company. Multigrain malware comes under the family of NewposThings Malware. This malware is similar to the NewposThings, FrameworkPOS and BernhardPOS malware which were known previously as notorious malware.

CenterPOS is a point of sale (POS) malware discovered Cyber Security Experts. It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. There are two versions which have been released by the developer responsible: version 1.7 and version 2.0. CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

Malumpos is a point of sale malware that are designed to steal or scrape customer’s credit and debit card detail from point of sale system. These are designed in a way that it records point of sale’s data which is running in an Oracle MICROS payment system of the restaurant. The collected data has been used in 333,000 customer sites around the world. Malumpos Malware targets hotels and other US businesses and put the retail customers at risk. This POS RAM Scraper is written in the Delphi programming language. Malumpos monitors, processes, scrapes the stolen data of the infected POS system and the RAM. First it stores the stolen credit or debit card details of the customer from the infected point of sale system once it is swiped. Then it sends the data to the cybercriminal to empty the customer bank balance or the details are sold to the black market.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

Web skimming, formjacking or a magecart attack is an attack in which the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.

References

  1. "BlackPOS involved in Target’s POS machines"
  2. "Malware Behind Target Credit Card Thefts Identified"
  3. 1 2 "Researchers find new point-of-sale malware called BlackPOS". PCWorld. Retrieved 8 January 2023.
  4. Kumar, Mohit. "23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware". The Hacker News. Retrieved 2016-11-05.
  5. "A First Look at the Target Intrusion, Malware — Krebs on Security". krebsonsecurity.com. Retrieved 2016-11-05.
  6. Sun, Bowen. "A Survey of Point-of-Sale (POS) Malware". www.cse.wustl.edu. Retrieved 2016-11-05.
  7. 1 2 "POS Malware Revisted"
  8. "An evolution of BlackPOS malware". Hewlett Packard Enterprise Community. 2014-01-31. Archived from the original on 2016-09-26. Retrieved 2016-11-05.
  9. Matlack, Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol (2014-03-17). "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Bloomberg.com. Retrieved 2016-11-05.
  10. "Neiman Marcus data breach said to have started in July and not been fully contained until Sunday | Business | Dallas News". Dallas News. 2014-01-16. Retrieved 2016-11-05.
  11. Perlroth, Elizabeth A. Harris, Nicole; Popper, Nathaniel (2014-01-23). "Neiman Marcus Data Breach Worse Than First Said". The New York Times. ISSN   0362-4331 . Retrieved 2016-11-05.{{cite news}}: CS1 maint: multiple names: authors list (link)
  12. "Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems". www.wolfssl.com. 11 September 2014. Retrieved 2016-11-05.
  13. "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources". Reuters. 2017-01-12. Retrieved 2016-11-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.