BlackPOS Malware

Last updated

BlackPOS or Interprocess communication hook malware is a type of point-of-sale malware or spyware program which was specifically designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. [1] [2] This is very different from the normal memory-scraping malware that scrapes all the data and needs filters to extract the target data. This specifically hooks into the track information, thus it is called an interprocess communication hook. Once this malware gets installed it looks for the pos.exe file in the system and parses the content of the track 1 and track 2 financial card data. [3] [4] The encoded data is then moved to a second machine through SMB [ clarification needed ]. BlackPOS was used in the Target Corporation data breach of 2013. [5] [6]

Contents

History

The BlackPOS program first surfaced in early 2013 and affected many Australian, American, and Canadian companies, such as Target and Marcus Neiman, that had incorporated point-of-sale systems into their companies. The virus, also known as 'reedum' or 'KAPTOXA', was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'. The original version of BlackPOS was sold on online black market forums by Taraspov for around $2000 but became cheaper and more readily available once the source code for the malware leaked onto the web. [7] [8] [9] [10]

How It Works

BlackPOS infects computers running on Windows operating systems that have credit card readers connected to them and are part of a POS system. [11] POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. BlackPOS is a standard memory-scraping malware, with exception that the virus is only limited to the pos.exe files in the infected POS system. [12] Once the desired POS system is infected, the malware pinpoints the process corresponded with the card reader and steals payment card Track 1 and Track 2 data, the information stored on the magnetic strip of payment cards, from its system's memory. [11] [13] Once stolen, the information can be cloned onto blank credit cards to be sold for black market use or used for personal reasons. [7] This results in the consumer personal information being compromised and usable by anyone with access to the information. Unlike other POS malware, such as the vSkimmer, BlackPOS does not have an offline data extraction method, as the captured information is uploaded to a remote server online. This makes it easier for hackers as they do not need to be in the proximity of the infected systems to retrieve consumer information. [10] [11] Furthermore, hackers may try hide the virus from detection by programming BlackPOS to only send stolen information during certain time frames. By doing so, they can mask the traffic the information creates during normal work hours, making it seem as if nothing suspicious is going on. [14]

Incidents

BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack occurred back in 2013 to the mega-store chain, Target.

Target

During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the mega-store became aware of the breach in their security. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen from its mainframes. In the end, about 1800 U.S. Target stores had been affected by the malware attack. [15]

Neiman Marcus

Target, however, was not the only business affected by this software. Neiman Marcus, another well-known retailer, was affected as well. Their computer database were said to be infected in early July 2013 and was not fully contained until January 2014. The breach is believed to involve 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected, among other things. [16] [17] Companies, such as UPS, Wendy's and Home Depot, have also claimed to have been affected by BlackPOS as well, although there have been reports that state that the breaches were not caused by malware virus. [18] [19]

Detection

There are two ways to detect BlackPOS activity in POS systems based on how the malware works: [20]

Transfer of Encoded Track Data

The first strategy to detect BlackPOS uses the fact that the first 15 characters of stolen track data always consists of digits. As a result, there are only a limited amount of combinations that can be produced, which means that there is a predictable pattern that can be followed. In addition, the encoding outputs from "000" to "999" result in a string that always begin: “M1”, “Mf”, “Mh”, “Ml”, “T1”, “Tf”, “Th”, “Tl”, “sh”, or “sl”. [20]

SMB Writes to Drop Location

The second way to identify BlackPOS's network activity is by its dropping of a file to a specific location using a fixed filename format. An example given by "Security Intelligence" checks if a file has a path and name that matches the format below is being written: \WINDOWS\twain_32\*_*_*_*.txt The strategy can be demonstrated with the following OpenSignature rule: alert tcp any -> any 445 (msg:"KAPTOXA File Write Detected"; flow:to_server,established; content:"SMB|A2|"; content:"\\|00|W|00|I|00|N|00|D|00|O|00|W|00|S|00|\\|00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00|\\"; pcre:"/.*_.*_.*_.*\.|00|t|00|x|00|t/"; sid:1;) [20]

Prevention

According to the PCI Security Council, businesses should keep their malware prevention software updated frequently to lower the chance of infection. In addition, system logs should be regularly checked for irregular activity within servers as well as monitoring for large data files being sent to unknown sources. Companies should also require that all login credentials be updated regularly and provide instructions on how to create safer and more secure passwords. [11] [13] [18]

See also

Related Research Articles

<span class="mw-page-title-main">Point of sale</span> Time and place where a retail transaction is completed

The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice for the customer, and indicates the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt for the transaction, which is usually printed but can also be dispensed with or sent electronically.

Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 billion or $4.3 billion. was finalized on April 25, 2016.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

Identity theft involves obtaining somebody else's identifying information and using it for a criminal purpose. Most often that purpose is to commit financial fraud, such as by obtaining loans or credits in the name of the person whose identity has been stolen. Stolen identifying information might also be used for other reasons, such as to obtain identification cards or for purposes of employment by somebody not legally authorized to work in the United States.

Backoff is a kind of malware that targets point of sale (POS) systems. It is used to steal credit card data from point of sale machines at retail stores. Cybercriminals use Backoff to gather data from credit cards. It is installed via remote desktop type applications where POS systems are configured. It belongs to the POS malware family as it is known to scrape the memory of POS devices.

<span class="mw-page-title-main">Point-of-sale malware</span>

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system. It first started to scrape information in late 2012. It resembles JackPOS Malware.

FastPOS is a variant of POS malware discovered by Trend Micro researchers. The new POS malware foregrounds on how speed the credit card data is stolen and sent back to the hackers.

PunkeyPOS is a new type of Point of Sale Malware which was recently discovered by PandaLabs. This new Point of Sale Malware infects the Point of Sale(POS) Systems with two types of malware applications - keylogger and RAM Scraper. PunkeyPOS gets installed into the computer automatically without the knowledge of the user, in a similar manner as other POS malware.

A new sophisticated point-of-sale or memory-scraping malware called "Multigrain" was discovered on April 17, 2016 by the FireEye Inc. security company. Multigrain malware comes under the family of NewposThings Malware. This malware is similar to the NewposThings, FrameworkPOS and BernhardPOS malware which were known previously as notorious malware.

CenterPOS is a point of sale (POS) malware discovered Cyber Security Experts. It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. There are two versions which have been released by the developer responsible: version 1.7 and version 2.0. CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server.

Malumpos is a point of sale malware that are designed to steal or scrape customer’s credit and debit card detail from point of sale system. These are designed in a way that it records point of sale’s data which is running in an Oracle MICROS payment system of the restaurant. The collected data has been used in 333,000 customer sites around the world. Malumpos Malware targets hotels and other US businesses and put the retail customers at risk. This POS RAM Scraper is written in the Delphi programming language. Malumpos monitors, processes, scrapes the stolen data of the infected POS system and the RAM. First it stores the stolen credit or debit card details of the customer from the infected point of sale system once it is swiped. Then it sends the data to the cybercriminal to empty the customer bank balance or the details are sold to the black market.

Kasidet POS Malware is a variant of Point of Sale (POS) Malware that performs DDoS attacks using Namecoin's Dot-Bit service to scrape payment card details. It is also known as Trojan.MWZLesson or Neutrino and was found in September 2015 by cyber security experts. It is a combination of BackDoor.Neutrino.50 and the POS malware.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

Web skimming, formjacking or a magecart attack is an attack where the attacker injects malicious code into a website and extracts data from an HTML form that the user has filled in. That data is then submitted to a server under control of the attacker.

References

  1. "What is BlackPOS Malware"
  2. "A First Look At The Target Intrusion, BlackPOS Malware"
  3. "Survey of Point of Sale Malware"
  4. "POS Malware Revisted"
  5. "BlackPOS involved in Target’s POS machines"
  6. "Malware Behind Target Credit Card Thefts Identified"
  7. 1 2 "A First Look at the Target Intrusion, Malware — Krebs on Security". krebsonsecurity.com. Retrieved 2016-11-05.
  8. Kumar, Mohit. "23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware". The Hacker News. Retrieved 2016-11-05.
  9. "KAPTOXA Point-of-Sale Compromise". docplayer.net. Retrieved 2016-11-05.
  10. 1 2 "Researchers find new point-of-sale malware called BlackPOS". PCWorld. Retrieved 2016-11-05.
  11. 1 2 3 4 Sun, Bowen. "A Survey of Point-of-Sale (POS) Malware". www.cse.wustl.edu. Retrieved 2016-11-05.
  12. Marshalek, Marion; Kimayong, Paul; Gong, Fengmin. "POS Malware Revisited" (PDF). Archived from the original (PDF) on 2014-12-22. Retrieved 2016-10-28.
  13. 1 2 "New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts - TrendLabs Security Intelligence Blog". TrendLabs Security Intelligence Blog. 2014-08-29. Retrieved 2016-11-05.
  14. "An evolution of BlackPOS malware". Hewlett Packard Enterprise Community. 2014-01-31. Retrieved 2016-11-05.
  15. Matlack, Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol (2014-03-17). "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Bloomberg.com. Retrieved 2016-11-05.
  16. "Neiman Marcus data breach said to have started in July and not been fully contained until Sunday | Business | Dallas News". Dallas News. 2014-01-16. Retrieved 2016-11-05.
  17. Perlroth, Elizabeth A. Harris, Nicole; Popper, Nathaniel (2014-01-23). "Neiman Marcus Data Breach Worse Than First Said". The New York Times. ISSN   0362-4331 . Retrieved 2016-11-05.
  18. 1 2 "Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems". www.wolfssl.com. 11 September 2014. Retrieved 2016-11-05.
  19. "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources". Reuters. 2017-01-12. Retrieved 2016-11-05.
  20. 1 2 3 "The POS Malware Epidemic: The Most Dangerous Vulnerabilities and Malware". Security Intelligence. 2015-06-19. Retrieved 2016-11-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.