PoS Malware Used to Steal Data from Over 167,000 Credit CardsSecurity Affairs
Researchers reported that threat actors used 2 PoS malware variants to steal information from over 167,000 credit cards.
Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals.
On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. A misconfiguration of the server allowed experts to investigate its operators’ activity and found out that it was also used as C2 for another POS malware called Treasure Hunter.
MajikPOS PoS malware was first spotted by Trend Micro in early 2017, when it was used to target businesses in North America and Canada.
MajikPOS is written using the “.NET framework” and uses an encrypted communication channel to avoid detection.
The crooks did not use sophisticated techniques to compromise the targets, they were able to gain access to PoS systems through brute force attacks on password-protected Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services. pass easy to guess. .
In some cases, cybercriminals used FTP (File Transfer Protocol) command line or modified version of Ammyy Admin to install MajikPOS malware.
On July 18, 2019, the source code of MajikPOS (aka MagicPOS) was released for sale on the cyber crime forum “exploit[.]in” by user ashboard.
Artifacts discovered by Group-IB experts on the C2 infrastructure suggest that the malware operators initially used a variant of Treasure Hunter, but later switched to the advanced MajikPOS malware.
Treasure Hunter is a POS malware which was first spotted in 2014, it supports RAM scraping capability and its initial kill chain stages are similar to MajikPOS.
Group-IB reported that the source code for Treasure Hunter was also leaked on a prominent Russian-speaking underground forum.
Group-IB estimated that the potential revenue from the sale of stolen credit card data on the underground market amounted to $3,340,000.
“After analyzing the malicious infrastructure, Group-IB researchers recovered information about infected devices and compromised credit cards as a result of this campaign. Since at least February 2021, carriers have stolen over 167,000 payment records (as of September 8, 2022), primarily from the United States. reads the report published by the experts. “According to Group-IB estimates, operators could earn up to $3,340,000 if they simply decide to sell the dumps of compromised maps on underground forums.
The researchers pointed out that the malware remains active in September 2022.
The investigation revealed that the MajikPOS panel contained data of approximately 77,400 unique card dumps and a Treasure Hunter panel containing approximately 90,000 card dumps.
Most of the cards stolen from the MajikPOS PoS malware panel were issued by US banks, as most of the infected POS terminals are in the US.
“POS malware has become less attractive to threat actors in recent years due to some of its limitations and the security measures implemented in the card payment industry. Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to individual businesses that have not yet implemented the latest security practices. It’s too early to cancel POS malware. concludes the report.
“While a dump itself cannot be used to make online purchases, fraudsters purchasing such data may cash in stolen records. If the card-issuing authority fails to quickly detect the breach , criminals can produce cloned (“white plastic”) cards and withdraw cash from ATMs or use the cloned cards for illicit in-person purchases.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, malware)