Researchers find new point-of-sale malware called BlackPOS

Group-IB researchers believe the malware has already been used to compromise thousands of payment cards in the US

A new piece of malware that infects point-of-sale (POS) systems has already been used to compromise thousands of payment cards belonging to customers of U.S. banks, according to researchers from Group-IB, a security and computer forensics company based in Russia.

POS malware is not a new type of threat, but it's increasingly used by cybercriminals, said Andrey Komarov, the head of international projects at Group-IB, Wednesday via email.

Komarov said that Group-IB's researchers have identified five different POS malware threats in the past six months. However, the most recent one, which was found earlier this month, has been investigated extensively, leading to the discovery of a command-and-control server and the identification of the cybercriminal gang behind it, he said.

The malware is being advertised on Internet underground forums under the rather generic name of "Dump Memory Grabber by Ree," but researchers from Group-IB's computer emergency response team (CERT-GIB) have seen an administration panel associated with the malware that used the name "BlackPOS."

A private video demonstration of the control panel published on a high-profile cybercriminal forum by the malware's author suggests that thousands of payment cards issued by U.S. banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank, have already been compromised.

Group-IB has identified the live command-and-control server and has notified the affected banks, VISA and U.S. law enforcement agencies about the threat, Komarov said.

BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials, Komarov said. In some rare cases, the malware is also deployed with help from insiders, he said.

Once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. This is the information stored on the magnetic strip of payment cards and can later be used to clone them.

Unlike a different POS malware called vSkimmer that was discovered recently, BlackPOS doesn't have an offline data extraction method, Komarov said. The captured information is uploaded to a remote server via FTP, he said.

The malware's author forgot to hide an active browser window where he was logged into Vkontakte -- a social networking site popular in Russian-speaking countries -- when recording the private demonstration video. This allowed the CERT-GIB researchers to gather more information about him and his associates, Komarov said.

The BlackPOS author uses the online alias "Richard Wagner" on Vkontakte and is the administrator of a social networking group whose members are linked to the Russian branch of Anonymous. The Group-IB researchers determined that the members of this group are under 23 years old and are selling DDoS (distributed denial of service) services with prices starting at US$2 per hour.

Companies should restrict remote access to their POS systems to a limited set of trusted IP (Internet Protocol) addresses and should make sure that all security patches are installed for the software running on them, Komarov said. All actions performed on such systems should be monitored, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionGroup-IBsecurityAccess control and authenticationpatch managementIdentity fraud / theftspywaremalwarefraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?