Payment Terminal Malware steals Data from over 167,000 Credit Cards

The cybersecurity Firm group IB has discovered two point-of-sale (POS) malware tools that have been deployed by a threat actor to steal the information of over 167,000 credit cards’ point-of-sale payment terminals.

The security experts at IB group published their findings on POS malware tools on Monday.

“On April 19, 2022, the Group-IB Threat Intelligence identified a Command and Control (C2) server of the POS malware called MajikPOS,” reads the document.

“The analysis of [command and control] C&C revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis.”

Malware- Treasure Hunter

The team further went on to analyze the server and realized that it had hosted a C2 administrative panel for another POS malware called Treasure Hunter. This malware was used to collect compromised credit card data, in a similar way to the first one.

Cybersecurity experts further added: “After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign.”

On September 08, 2022, it is reported that since February 2021 the operators have stolen more than 167,000 payment records mainly from the US. 

“According to Group-IB’s estimates, the operators could make as much as $3,340,000 if they simply decide to sell the compromised card dumps on underground forums.”

Crooks Use POS #Malware to Steal 167,000 US Credit Card Details, Potentially Netting them $3.3 Million https://t.co/yP4Z6RxphN #cybercrime #payments #RAMscraping #MagneticStripe https://t.co/h4t8YDz4FA pic.twitter.com/1ZYjuoNr0S

— Neira Jones (@neirajones) October 25, 2022

Cybersecurity Experts

According to cybersecurity expert Erfan Shadabi, “Malware is just one click away.”

In order to avoid being a victim the two important things an organization can do is to spread cybersecurity awareness and protect the data by not trusting any source. 

Shadabi stated that common encryption methods are useful in some situations; however, other algorithms can be simply cracked. Also, key management and additional operational concerns make plain data encryption less desirable.

Shadabi said: “Using a stronger, more flexible data-centric method such as tokenization means that data format can be preserved while sensitive data elements are obfuscated with representational tokens.” 

“Enterprise applications support tokenized data much better, skirting the need to de-protect the information in order to work with it within a corporate workflow.”

The threat actors rarely use malware tools and are more inclined towards using JavaScript sniffers to collect card text data from e-commerce websites because of limitations on malware. 

However, researchers state that it is still a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices.