Attackers are able to easily monetize stolen credit card data

When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

POINT OF SALE MALWARE 

PoSeidon

There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:

At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Dexter

The Dexter Trojan horse was disclosed publicly by Seculert in December 2012. Dexter attempts to scan the memory of other processes looking for Track 1 or Track 2 formatted data. Dexter uses HTTP to communicate with a command and control (C2) server to exfiltrate stolen card data and to receive updates. Dexter includes an administration panel for browsing infected computers, similar to the control panels found with banking trojans .

vSkimmer

vSkimmer was disclosed by McAfee in March 2013. In addition to information about the malware, McAfee included details from a message on a web forum used by criminals to advertise goods and services. vSkimmer also searches program memory for track data; however, it only looks for data matching Track 2 format. Figure 2 shows the regular expression used to search for Track 2 formatted data.

Figure 2. vSkimmer regular expression for matching Track 2 formatted data. (Source: Dell SecureWorks)

In addition to using HTTP to exfiltrate stolen data to a C2 server, vSkimmer can be configured to copy data to a specific USB device if it is unable to connect to the Internet. vSkimmer dumps its stolen data to a log file on a USB drive with a certain volume name. Based on a version of the vSkimmer builder tool obtained by the CTU research team, the volume name and name of the log file can be configured by the tool used to configure and build customized versions of the malware. This option provides the attacker with an alternate mechanism for offloading stolen data from a POS device that is not allowed to communicate directly to the Internet.In addition to using HTTP to exfiltrate stolen data to a C2 server, vSkimmer can be configured to copy data to a specific USB device if it is unable to connect to the Internet. vSkimmer dumps its stolen data to a log file on a USB drive with a certain volume name. Based on a version of the vSkimmer builder tool obtained by the CTU research team, the volume name and name of the log file can be configured by the tool used to configure and build customized versions of the malware. This option provides the attacker with an alternate mechanism for offloading stolen data from a POS device that is not allowed to communicate directly to the Internet.

BlackPOS

BlackPOS, which is allegedly sold under the name "Dump Memory Grabber by Ree," was disclosed publicly by the Russian-based security firm Group-IB in late March 2013. The tool was being advertised on a popular web forum for cybercriminal goods and services. BlackPOS scans the memory of running processes for stored Track 1 and Track 2 formatted data. If found, data is stored in an output file called output.txt and is uploaded to a server using FTP.

Alina

The Alina trojan was discovered by the CTU research team in March 2013. As with the previous three POS-targeting malware, Alina searches running processes for credit card track data.

Alina uses HTTP to upload information about the infected computer and stolen card data to its C2 server. Alina can also download and run updates.

Shortly after its discovery, the CTU research team implemented countermeasures to detect Alina trojan activity. Infections were detected in three customer networks over a one week period. No activity has been detected since March 2013.

Citadel

The Citadel trojan is a well-known crimeware kit that is used to target online banking and credit card data for the purpose of committing fraud. In addition to its ability to spy on a user's web browsing activity, Citadel has several other features that make it valuable to an attacker for identifying and compromising potential POS devices.

System reconnaissance

Citadel can be configured to run certain commands specified in a configuration file each time it starts. As shown in Figure 6, Citadel can be configured to gather information about the infected host and the network.

Software reconnaissance

The Citadel trojan can also collect information about software installed on the infected computer. A botnet operator can use this information to gather information about the purpose of the infected computer and possibly information about other computers on the network.

Download and execute programs

Citadel allows a botnet operator to send a command to infected computers to download a program from a URL and run it on an infected computer. This instruction is referred to as a "user_execute" command. It can be sent to the entire botnet, to a single infected computer, or only to computers located within a specific country.

Keystroke logging

Citadel can be configured to log all keystrokes entered within targeted processes for a specified time period. This action can provide an attacker with sensitive information such as account credentials for POS software users and account data that is manually entered.

Screenshots and video capture

Citadel can be configured to take screenshots when a user navigates to a specific URL or even to record video of the user's actions. This ability allows attackers to collect intelligence on how a web application works. The attackers can then use this intelligence to craft their attack tools to leverage that specific platform.

Monetization of Stolen Card Data.

How it is possible to monetize the information stolen during a cyber-attack? How much do sensitive information and stolen credit cards cost and where it is possible to acquire them? Groups of cyber-criminals, mostly located in Eastern Europe and Russia, are part of an organized network that is able to sell these commodities to other criminals who desire to conduct a cyber-attack or to realize a scam.

Let me start by remarking that cyber-criminals find it more profitable to sell stolen credit cards than to directly use the data gathered for illegal activities. Many countries, including the U.S., still use credit cards based on a magnetic strip that are quite easy to clone; the lack of security measures such as security chips aids cyber-criminals. Fortunately, that is changing and principal financial institutions are working to replace an obsolete technology that exposes card holders to serious risks. The stolen credit card information came from identity theft through large-scale attacks based on botnets, and credit card skimming.

Of course, the price for stolen cards is variable and depends on different factors, including the amount, limits of the card, type of card, account balance, and geographic location of the card owner. The price for valid credit cards could reach $100 for each item and it is quite easy to buy them on specialized hacking forums; the Deep Web, for example, has plenty of black markets that offer them at cheap prices.

Card numbers are usually sold to brokers who acquire large numbers of stolen card numbers to resell to carders. The stolen card data market is not different from any legitimate marketplace; specialized sellers, escrow agents, resellers, and vendors flock to this specific business segment. The price for valid credit cards can be as high as $100 per card, depending on the amount of information available with the card, the type of card, and its known limits.

The amount of banking malware is constant increasing and old malicious codes are renewed, as happened for Zeus crimeware. The proliferation of such agents in responsible for the decrease of the average price for a stolen credit card.

The majority of websites that offer stolen card data guarantee their validity and, in some cases, they also provide replacements in case of problems.

Conclusion

Cybercrime continues to evolve in response to technical and legal actions. Criminals are now leveraging payment mechanisms such as prepaid cards to make their schemes more efficient. This approach also allows more criminals to use magnetic string based authentication systems to conduct tried-and-true attacks against POS systems. CTU researchers believe that POS devices will continue to be an attractive target, with criminals developing new malware and repurposing existing malware to steal card data. Organizations that process card data need to continue to monitor the threat landscape and adapt their controls to protect card data beyond PCI requirements.