Cybercriminals are increasingly targeting credit card payment terminals to steal sensitive information, reveals new research from Group-IB Botnet Monitoring Team.
The team’s head Nikolay Shelekhov and the company’s analyst, Said Khamchiev, shared details of how cybercriminals used a PoS (point-of-sale) malware to steal over 167,000 payment records from 212 compromised devices. Almost all of the affected users were based in the USA.
The campaign was discovered in April 2022, but researchers believe the campaign occurred between February 2021 and September 8, 2022.
Researchers blamed a poorly configured C2 server for PoS malware MajikPOS. The configuration allowed them to assess the server. They discovered that the server hosted a separate C2 administrative panel for a unique POS malware variant identified as Treasure Hunter (first detected in 2014). This malware also collects compromised card data.
For your information, MajikPOS and Treasure Hunter malware infect Windows POS terminals. For infecting a store, MajikPOS (first detected in 2017) scans the network for open or poorly secured RDP and VNC remote-desktop services. It then brute forces into the network or purchases access to the systems’ credentials.
Both malware can scan the devices and look to exploit the card when the device is reading card data. The malware then stores the information in plain text in memory. Moreover, Treasure Hunter can perform RAM scraping, which pores over the memory of all running processes on the register to locate freshly swiped magnetic stripe data from a shopper’s bank card. Conversely, MajikPOS can scan infected PCs for card details. The information is then sent over to the attacker’s C2 server.
During their month-long investigation, Group-IB assessed around 77,400 card dumps from MajikPOS and 90,000 from Treasure Hunter panels. Around 75,455 or 97% of MajikPOS compromised cards were issued by US banks, and the rest were from banks worldwide. Regarding Treasure Hunter, 96% or 86,411 cards were issued in the USA. They also detected eleven victim firms in the USA.
Further probe revealed that cybercriminals used two POS malware strains to steal details of over 167,000 credit cards. All the data was stolen from payment terminals. Researchers noted that the backend C2 server operating the Treasure Hunter and MAjikPOS malware strains was still active, and the number of victims increased continuously.
After discovering the attack, Group-IB notified law enforcement agencies, and a US-based threat-sharing agency was also notified. In their blog post, Group-IB also revealed that:
“The information about compromised cards, POS terminals, and the victims that Group-IB researchers were able to identify, was shared upon discovery with a US-based non-profit alliance that brings together private industry, academia, and law enforcement.”Group-IB
It is unclear who stole the data of such a vast number of credit cards and whether the data was sold or used. However, researchers are confident that the stolen data could fetch over $3.3 million if sold on underground marketplaces.
- 4,000 ElasticSearch servers found hosting PoS malware
- 22 people indicted on malware, credit card fraud charges
- Threat actor selling 158,000 Canadian, US credit card data
- Massive stolen credit card trading scam on dark web disrupted
- Prilex ATM Malware Modified to Clone Chip-and-Pin Payment Cards