A new piece of malware that infects point-of-sale (POS) systems has already been used to compromise thousands of payment cards belonging to customers of U.S. banks, according to researchers from Group-IB, a security and computer forensics company based in Russia.
POS malware is not a new type of threat, but it’s increasingly used by cybercriminals, said Andrey Komarov, the head of international projects at Group-IB, Wednesday via email.
Komarov said that Group-IB’s researchers have identified five different POS malware threats in the past six months. However, the most recent one, which was found earlier this month, has been investigated extensively, leading to the discovery of a command-and-control server and the identification of the cybercriminal gang behind it, he said.
The malware is being advertised on Internet underground forums under the rather generic name of “Dump Memory Grabber by Ree,” but researchers from Group-IB’s computer emergency response team (CERT-GIB) have seen an administration panel associated with the malware that used the name “BlackPOS.”
A private video demonstration of the control panel published on a high-profile cybercriminal forum by the malware’s author suggests that thousands of payment cards issued by U.S. banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank, have already been compromised.
Group-IB has identified the live command-and-control server and has notified the affected banks, VISA and U.S. law enforcement agencies about the threat, Komarov said.
BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials, Komarov said. In some rare cases, the malware is also deployed with help from insiders, he said.
Once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. This is the information stored on the magnetic strip of payment cards and can later be used to clone them.
Unlike a different POS malware called vSkimmer that was discovered recently, BlackPOS doesn’t have an offline data extraction method, Komarov said. The captured information is uploaded to a remote server via FTP, he said.
The malware’s author forgot to hide an active browser window where he was logged into Vkontakte — a social networking site popular in Russian-speaking countries — when recording the private demonstration video. This allowed the CERT-GIB researchers to gather more information about him and his associates, Komarov said.
The BlackPOS author uses the online alias “Richard Wagner” on Vkontakte and is the administrator of a social networking group whose members are linked to the Russian branch of Anonymous. The Group-IB researchers determined that the members of this group are under 23 years old and are selling DDoS (distributed denial of service) services with prices starting at US$2 per hour.
Companies should restrict remote access to their POS systems to a limited set of trusted IP (Internet Protocol) addresses and should make sure that all security patches are installed for the software running on them, Komarov said. All actions performed on such systems should be monitored, he said.