A threat Intelligence firm discovered point of sale (POS) malware command and control (C2) servers for two malware variants hosting over 167,000 payment records from stolen credit cards.
The credit cards were stolen between February 2021 and September 8, 2022, from issuers primarily (97%) located in the United States.
According to Group-IB researchers, the poorly configured server hosted an administrative panel for MajikPOS and Treasure Hunter malware. The MajiPOS panel had 77,428 credit card dumps, while the treasure hunter panel contained 90,024.
IB-Group shared the information with a financial threat-sharing organization and law enforcement agencies within the unit.
Stolen credit cards worth $3.3 million on the dark web
Between April 2021 and April 2022, the stolen credit card market was worth about $908,713,251, with each card dump selling for $20. Thus, the threat actor would earn at least $3.3 million from selling the stolen credit cards on underground hacking forums.
However, the Singapore-based threat intelligence group could not determine if hackers had disposed of the stolen credit cards on any cybercrime forum.
Notorious POS malware variants have existed for over five years
MajikPOS malware first appeared in 2017 and targeted payment devices in the United States and Canada, while Treasure Hunter was first detected in 2014.
Jolly Roger created Treasure Hunter for a Russian-hacking group ‘BearsInc’ which operated a carding forum for selling stolen credit cards. However, the malware source code was later leaked to a Russian-speaking hacking forum in 2018 and spread to other criminal gangs and security researchers. Treasure Hunter POS malware targets the RAM (random access memory) of infected devices (RAM scraping) to extract payment data and forward it to the C2 servers.
Thus, encrypting in-memory data could prevent attacks, although hackers could still crack some encryption algorithms.
“Sure, traditional encryption methods are a consideration, but some algorithms can be easily cracked, and key management and other operational concerns make plain data encryption unattractive,” said Erfan Shadabi, a cybersecurity expert at Comforte AG. “Keep in mind that encrypted information does not possess the original format of the data, so enterprise applications either must be modified or the data must be de-protected.”
Shadabi recommended tokenization to preserve data format while obfuscating sensitive data elements from RAM scrapers.
“Enterprise applications support tokenized data much better, skirting the need to de-protect the information in order to work with it within a corporate workflow.”
POS malware uses brute-force attacks or stolen login credentials
Group-IB researchers explained that the malware operators gain access by brute-forcing the target POS terminal or buying login credentials from initial access brokers.
MajikPOS operators usually target poorly secured VNC and RDP instances to access payment devices and install POS malware.
Too early to write off POS malware
Group-IB researchers Nikolay Shelekhov and Said Khamchiev pointed out that POS malware has become less attractive because of security measures implemented by the card industry. Additionally, threat actors have adopted other effective tactics, such as JavaScript sniffers, to collect payment card data from eCommerce websites.
However, they warned that although fewer criminals were collecting data from magnetic stripes on payment cards, credit card dumps were more valuable than textual credit card data.
“Given how rare they are and for how many various fraudulent activities they can be used for, card dumps are usually more expensive than card text data,” the researchers stated.
IB-Group researchers further explained that fraudsters could not make direct online purchases using card dumps. However, they could clone the stolen credit cards, withdraw cash from ATMs, or make in-person purchases in brick-and-mortar stores. Thus, card issuers must remain vigilant to detect stolen credit cards before threat actors can re-engineer them to make purchases.
According to the researchers, POS malware was a “severe threat” in regions where credit cards with magstripe were the primary payment processing mechanism, such as the United States.
“Given that the malware remains active at the time of writing this blog, the number of victims keeps growing,” the researchers warned.
Mike Parkin, a senior Technical Engineer at Vulcan Cyber, noted that while POS terminal security improved, threat actors refused to give up their former tactics and “moved to other vectors to steal credit card information.”