In the 19 months between February 2021 and September 2022, two point-of-sale (POS) malware operators have stolen more than 167,000 payment records, mainly from the US, according to researchers at Group-IB. The researchers were able to retrieve information about infected machines and compromised credit cards by analyzing a command and control (C2) server used by the malware.
POS malware is designed to steal debit and credit card data from POS machines in retail stores. It does this by harvesting the temporarily unencrypted card data from the machine’s memory. Due to improved security measures against this type of theft in most countries, this type of malware isn't as widely used as it once was, although it never disappeared completely.
The malware
The researchers found badly configured control panels for two different strains of POS malware, MajikPOS and Treasure Hunter. A possible explanation is that the operatros started out using Treasure Hunter and adapted MajikPOS at a later time. This is likely because the source code for MajikPOS has been circulating on the Dark Web and it offers additional features compared to Treasure Hunter.
The basic ability of all POS malware is the same—to steal sensitive card payment details from the RAM of a POS device where the data can be found in an unencrypted form. But different families offer other options when it comes to persistence and processing stolen data.
The machines targeted by the malware were found by scanning for remote desktop applications like RDP and VNC, and then guessing their passwords. Successfully guessing their passwords gave the attackers the same access to those computers as they would get if they were actually sat in front of them.
During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. Most of the stolen cards were issued by US banks, and most of the infected POS terminals are located in the US.
The average price for a single card dump is around $20, so if the threat actors were able to sell the stolen dumps on an underground market, they could have made in excessive of $3 million.
Credit identity theft
Credit identity theft happens when a scammer steals your credit card data and uses it to make fraudulent purchases or obtains a credit card or loan under your name. According to the FTC, people who suspect they are the victim of credit identity theft should contact their bank or credit card company to cancel their card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.
To find out if you are a vicitm:
- Review your transactions regularly, to make sure no one has misused your card.
- If you find fraudulent charges, call the fraud department and get them removed.
- Check your credit report at annualcreditreport.com.
Mitigation
All the usual, basic (and effective) security advice applies to POS device owners. If you operate POS machines:
- Implement a plan for patching software in a timely manner
- Protect passwords with two-factor authentication, preferably FIDO 2
- Use a strong password policy and rate limiting to further protect passwords
- Run endpoint security software with EDR to detect malware and intruders
- Assign access rights according to the Principle of Least Privilege
- Segment networks to slow down lateral movement