Image

Malicious Malware Could Grab Your Christmas Cash

Dec. 16, 2014
One of the most financially successful and prevalent cyber crimes involves the hacking of retail point-of-sale (PoS). It thus requires systems as well as major stores and retail outlets to shore up their defenses against such attacks to maintain customer confidence.

So what are the most dangerous PoS hacking systems? (Image courtesy of Thinkstock)

One of the most financially successful and prevalent cyber crimes involves the hacking of retail point-of-sale (PoS). It thus requires systems as well as major stores and retail outlets to shore up their defenses against such attacks to maintain customer confidence. For instance, malware can worm its way into Track 1 and 2 data held in the magnetic strip on credit cards. So what are the most dangerous PoS hacking systems? Brandon Tansey, security researcher at Lancope, lists these top ten bad boys:

rdasrv

This PoS malware searches for Track 1 and 2 data in specific, hardcoded PoS process names. It cannot exfiltrate data automatically—it only writes information to disk.

Alina
Another Track 1 and 2 infiltrator, it doesn’t have a specific list of target processes. Alina skips through memory for programs that may have large amounts of memory and a low chance of containing card information, like web browsers. It’s able to automatically exfiltrate information over the network.

VSkimmer

This malware is distributed as a customizable kit. That means those who purchase it can automatically generate malware using their own configuration options. These generated samples, which search for Track 2 data, use a process blacklist containing the names of certain windows processes unlikely to contain credit-card information. It’s also has the ability to download and execute other applications at the command of its controller. VSkimmer supports automatic exfiltration over the network and can dump stored credit-card information to a thumb drive with a pre-determined name.

 Dexter
In addition to simply looking for Track 1 and 2 credit-card information, Dexter has a key-logging component to capture keystrokes and other input. It maintains a process blacklist similar to VSkimmer. Furthermore, Dexter can automatically exfiltrate data over the network, and receive commands to download and execute other files or remove itself.

BlackPOS
Some versions of this aptly named malware are capable of exploiting user-input search criteria, which makes the malware easy to repurpose. BlackPOS has also been spotted attempting to brute-force RDP logins of other hosts. It can perform multiple types of network-based exfiltration, including email and ftp sites. Because the source code of BlackPOS was leaked, anyone who obtains the code can modify/recreate it.

Decebal
This malware searches for credit-card information. It attempts to avoid analysis environments like sandboxes and debuggers. Decebal can use the network for exfiltration, where it also exfiltrates the names of installed anti-virus products to its controllers. It’s been observed being distributed via drive-by-download. Like BlackPOS, Decebal source code was leaked.

JackPOS
JackPOS is PoS malware that searches for both Track 1 and 2 information. Like other families, JackPOS also maintains a blacklist of process names and exfiltrates data over the network.

Soraya
On top of searching non-blacklisted process memory for credit-card information, Soraya injects itself into processes to capture data transmitted in Web requests. It exfiltrates captured credit-card information as well as Web requests over the network. Soraya uses packing to obfuscate its executable file, making analysis more difficult.

ChewBacca
This PoS malware family is notable for its use of Tor hidden services to exfiltrate data. In addition to searching for Track 1 and 2 data, ChewBacca has a key-logging component.

BrutPOS
As the name implies, this malware uses brute-force attacks to compromise additional systems. It targets known PoS software process names for scanning.

Backoff
Backoff hunts for Track 1 and 2 data by scanning the memory of processes that are not blacklisted. Like Soraya, it uses custom obfuscation in an attempt to make analysis more difficult. Furthermore, it’s capable of downloading and executing additional files. Like BlackPOS and BrutPOS, distribution of Backoff has been observed, typically by exposed PoS systems with weak RDP credentials.

In addition to those hacks, another recently announced cyber threat promises to be even more insidious—it can attack a wide variety of mobile networks. Called “Inceptions,” it not only infiltrates your smartphone, but it has the ability to stay hidden and hide its origins path.

So, given the prevalence of malware bombs that could seriously damage your credit card, it may be prudent to consider cash purchases to make sure Santa's deliveries make it down the family chimney this Christmas.

About the Author

Paul Whytock Blog | European Editor

Paul Whytock is European Editor for Penton Media's Electronics Division. From his base in London, England, he covers press conferences and industry events throughout the EU for Penton publications and its Engineering TV and Radio services Qualified to HNC Full Technological Certificate standard, Whytock trained as an automotive design engineer with Ford Motor Company prior to entering technical journalism.

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!