March 28, 2013, 9:30 AM — A new piece of malware that infects point-of-sale (POS) systems has already been used to compromise thousands of payment cards belonging to customers of U.S. banks, according to researchers from Group-IB, a security and computer forensics company based in Russia.
POS malware is not a new type of threat, but it's increasingly used by cybercriminals, said Andrey Komarov, the head of international projects at Group-IB, Wednesday via email.
Komarov said that Group-IB's researchers have identified five different POS malware threats in the past six months. However, the most recent one, which was found earlier this month, has been investigated extensively, leading to the discovery of a command-and-control server and the identification of the cybercriminal gang behind it, he said.
The malware is being advertised on Internet underground forums under the rather generic name of "Dump Memory Grabber by Ree," but researchers from Group-IB's computer emergency response team (CERT-GIB) have seen an administration panel associated with the malware that used the name "BlackPOS."
A private video demonstration of the control panel published on a high-profile cybercriminal forum by the malware's author suggests that thousands of payment cards issued by U.S. banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank, have already been compromised.
Group-IB has identified the live command-and-control server and has notified the affected banks, VISA and U.S. law enforcement agencies about the threat, Komarov said.
BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials, Komarov said. In some rare cases, the malware is also deployed with help from insiders, he said.
Once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. This is the information stored on the magnetic strip of payment cards and can later be used to clone them.
Unlike a different POS malware called vSkimmer that was discovered recently, BlackPOS doesn't have an offline data extraction method, Komarov said. The captured information is uploaded to a remote server via FTP, he said.