A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.
The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.
MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.
The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.
MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.
POS Malware Infections Can be Devastating
A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.
While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.
Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.
POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.
This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.