Researchers find new point-of-sale malware called BlackPOS

Group-IB researchers believe the malware has already been used to compromise thousands of payment cards in the US

A new piece of malware that infects point-of-sale (POS) systems has already been used to compromise thousands of payment cards belonging to customers of U.S. banks, according to researchers from Group-IB, a security and computer forensics company based in Russia.

POS malware is not a new type of threat, but it's increasingly used by cybercriminals, said Andrey Komarov, the head of international projects at Group-IB, Wednesday via email.

Komarov said that Group-IB's researchers have identified five different POS malware threats in the past six months. However, the most recent one, which was found earlier this month, has been investigated extensively, leading to the discovery of a command-and-control server and the identification of the cybercriminal gang behind it, he said.

The malware is being advertised on Internet underground forums under the rather generic name of "Dump Memory Grabber by Ree," but researchers from Group-IB's computer emergency response team (CERT-GIB) have seen an administration panel associated with the malware that used the name "BlackPOS."

A private video demonstration of the control panel published on a high-profile cybercriminal forum by the malware's author suggests that thousands of payment cards issued by U.S. banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank, have already been compromised.

Group-IB has identified the live command-and-control server and has notified the affected banks, VISA and U.S. law enforcement agencies about the threat, Komarov said.

BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials, Komarov said. In some rare cases, the malware is also deployed with help from insiders, he said.

Once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. This is the information stored on the magnetic strip of payment cards and can later be used to clone them.

Unlike a different POS malware called vSkimmer that was discovered recently, BlackPOS doesn't have an offline data extraction method, Komarov said. The captured information is uploaded to a remote server via FTP, he said.

The malware's author forgot to hide an active browser window where he was logged into Vkontakte -- a social networking site popular in Russian-speaking countries -- when recording the private demonstration video. This allowed the CERT-GIB researchers to gather more information about him and his associates, Komarov said.

The BlackPOS author uses the online alias "Richard Wagner" on Vkontakte and is the administrator of a social networking group whose members are linked to the Russian branch of Anonymous. The Group-IB researchers determined that the members of this group are under 23 years old and are selling DDoS (distributed denial of service) services with prices starting at US$2 per hour.

Companies should restrict remote access to their POS systems to a limited set of trusted IP (Internet Protocol) addresses and should make sure that all security patches are installed for the software running on them, Komarov said. All actions performed on such systems should be monitored, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Group-IBintrusionsecurityAccess control and authenticationpatch managementspywareIdentity fraud / theftfraudmalware

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?