POS Malware Used to Steal Details of Over 167,000 Credit Cards

Written by

Two point-of-sale (POS) malware tools have been deployed by a threat actor to steal the information of over 167,000 credit cards from payment terminals.

The findings come from security experts at Group-IB, who published an advisory about the malware campaigns on Monday.

“On April 19, 2022, the Group-IB Threat Intelligence identified a Command and Control (C2) server of the POS malware called MajikPOS,” reads the document.

“The analysis of [command and control] C&C revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis.”

The team had then analyzed the server and concluded that it had likewise hosted a C2 administrative panel of another POS malware called Treasure Hunter, also used to collect compromised credit card data. 

“After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign,” the cybersecurity experts wrote.

Since at least February 2021, the operators have reportedly stolen more than 167,000 payment records (as of September 08, 2022), mainly from US-based victims. 

“According to Group-IB’s estimates, the operators could make as much as $3,340,000 if they simply decide to sell the compromised card dumps on underground forums.”

More generally, the security researchers have said that POS malware has become a tool that is rarely used, as an increasing number of threat actors in the carding industry are switching to JavaScript sniffers to collect card text data from e-commerce websites.

Still, some threat actors continue to use these techniques, including the ones behind the campaigns above, which according to Group-IB, are still active.

“Malware is just one click away,” Erfan Shadabi, a cybersecurity expert from comforte, told Infosecurity.

“The two most important things an organization can do are: one, spread cybersecurity awareness and use a zero-trust approach to ensure that users only get access to sensitive data when they have permission and only when it is absolutely necessary. And two, protect the data.”

According to Shadabi, traditional encryption methods work in some scenarios, but some algorithms can be easily cracked, and key management and other operational concerns make plain data encryption unattractive.

“Using a stronger, more flexible data-centric method such as tokenization means that data format can be preserved while sensitive data elements are obfuscated with representational tokens," Shadabi added.

“Enterprise applications support tokenized data much better, skirting the need to de-protect the information in order to work with it within a corporate workflow.”

The Group-IB advisory comes days after the Federal Bureau of Investigation (FBI) issued an announcement warning students against loan forgiveness scams aimed at stealing their personal and financial information.

What’s hot on Infosecurity Magazine?