The author is advertising a trojan for sale that can steal credit card information from machines running Windows for financial transactions and credit card payments, said Chintan Shah, a researcher at McAfee, in a blog post. Beyond the basics, it’s sneaky as well: vSkimmer can actively detect card readers, then grab all information from the Windows machines attached to these readers, and send that data to a control server.
“This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah said.
In many ways, including in the active detection aspect, the malware “appears to be a successor of Dexter, but with additional functions,” said Shah – and in fact, the hacking forum advertises the bug as “better than” that particular botnet. Dexter is best-known for being the bug behind the heist of 80,000 customers’ credit, debit and payment account numbers merchant point-of-sale (PoS) systems, including more than 150 Subway restaurant locations. Dexter was officially outed in December by Israeli security firm Seculert, and its hallmark is that it appears purpose-built: instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, hackers can simply use Dexter to specifically target high-value PoS systems.
Thus, vSkimmer is yet another example of how financial fraud is actively evolving and how financial trojans are developed and passed around in the underground community, Shah wrote. He added, “We already know about botnets such as Zeus and SpyEye, which perform financial fraud using extremely sophisticated techniques including intercepting the victims’ banking transactions.”
McAfee’s Automated Botnet Replication Framework first spotted vSkimmer on February 13, and the firm has since analyzed samples and figured out how it steals credit card information, and its additional control functionalities.
To start, vSkimmer collates information about a machine’s system, like the version, unique GUID identifier, default language, hostname and active username, to enable the attacker to track each machine. It then scans what the computer is doing, and when it finds a process that matches that of a card reader, it extracts card Track 2 data.
“Track 2 data is information stored on the magnetic strip of a payment card and can be used to clone the card, unless the payment card uses the EMV (chip and pin) standard,” Network World explained. “That said, in an announcement posted earlier this month on a cybercriminal forum, the malware's author said that work is being done to add support for EMV cards and that ‘2013 will be a hot year.’"
vSkimmer can also function offline – when a USB device with the volume name KARTOXA007 is connected, it copies a log file with the captured data to it, Shah said.