Two payment terminal malware strains have stolen millions of dollars worth of data

Cybersecurity researchers have spotted two strains of point-of-sale (POS) malware that are active in the wild and stealing people’s credit card information. 

So far, they’ve stolen more than $3.3 million worth of payment data, but given that the strains are active, that number is probably even higher by now. 

Cybersecurity researchers Nikolay Shelekhov and Said Khamchiev from Group-IB discovered the strains – called MajikPOS and Treasure Hunter – earlier this year, when they found their command & control (C2) servers. Through the server, they were able to deduce that the malware operators – whose identities are unknown at the time – stole payment information from tens of thousands of credit card holders. 

Tens of thousands of stolen credit cards

Between February 2021 and September 2022, they were able to obtain the details of more than 167,000 credit cards. The researchers claim this information could be worth more than $3.3 million on the black market. 

Pretty much all of the data stolen belongs to US-based credit card holders. It took the researchers a month to analyze some 77,000 card dumps from the MajikPOS panel, and some 90,000 from the Treasure Hunter panel, after which they deduced that 97% of the cards from MajikPOS, and 96% from Treasure Hunter, were issued by US banks. The rest were issued by banks all around the world. 

Law enforcement has been notified, the researchers added.

To infect POS endpoints, threat actors would first scan networks for open, or improperly secured virtual network computing (VNC) and remote desktop protocol (RDP) services. They would access (or brute-force their way into) the systems, and install the malware. After that, the malware would scan the devices and exploit them in the moment when they read and store credit card data. 

To protect from such attacks businesses should make sure their POS systems are protected with a strong password, are regularly updated with the newest software, and are hidden behind firewalls and other cybersecurity solutions.

Via: The Register