In the US, another major leak of credit card data
This week we wrote about a sensational story related to the compromise of the large American retailer network Target. Credit card details of over 50 million Target customers and customers have been compromised. The attackers used a well-prepared attack on one of the company's servers and were able to gain access to the internal network to centrally install malicious code on computers that serve POS terminals. Malicious code known as Trojan.POSRAM (iSight) or a new modification of BlackPOS was used by attackers to gain access to credit card information at the time of the payment transaction. In the media, this malicious code was referred to as KAPTOXA , the name is taken from the iSight report and IntelCrawler information. The latter pointed to one of our compatriots as the author of malware.
After the appearance of information about the compromise of Target, another retail chain Neiman Marcus also announced the theft of credit card data in the middle of December last year, and it’s about paying using POS terminals, as the online store didn’t touch customers. Today, it was reported that another large chain of stores, Michaels, is investigating the incident of the card data theft. The security services of banking institutions have already documented hundreds of cases of fraudulent access to credit card information stolen through Michaels.
')
It should be noted that a few days ago, the FBI sent a private report to US retailer networks warning of upcoming attacks on POS terminals in order to install a malicious code like BlackPOS .
Such malicious code is focused on penetration into a special OS process, in the context of which a payment transaction is carried out, magnetic strip data is being read, PIN-code and other confidential data are processed. Usually, malware with these capabilities is referred to as a memory grabber or memory parser or CC data parser, hinting that it is looking for certain process patterns in the memory of the required process that correspond to information removed by the terminal from a credit card. For example, in the case of Trojan.POSRAM , the malicious code collects this data from the pos.exe process, writes it to the system file and sends it to a remote server as needed.
The FBI report mentions the malicious tool Alina, which can be used by attackers to gather data from the necessary process. It also has a feature update feature that can make it more difficult to detect.
One of the Trojan.POSRAM samples is on VirusTotal and has a detection level of 33/50 .
After the appearance of information about the compromise of Target, another retail chain Neiman Marcus also announced the theft of credit card data in the middle of December last year, and it’s about paying using POS terminals, as the online store didn’t touch customers. Today, it was reported that another large chain of stores, Michaels, is investigating the incident of the card data theft. The security services of banking institutions have already documented hundreds of cases of fraudulent access to credit card information stolen through Michaels.
')
It should be noted that a few days ago, the FBI sent a private report to US retailer networks warning of upcoming attacks on POS terminals in order to install a malicious code like BlackPOS .
The risk of death is the number of cases when it comes to the list of credit cardholders. checkout machines found in store checkout aisles.
Such malicious code is focused on penetration into a special OS process, in the context of which a payment transaction is carried out, magnetic strip data is being read, PIN-code and other confidential data are processed. Usually, malware with these capabilities is referred to as a memory grabber or memory parser or CC data parser, hinting that it is looking for certain process patterns in the memory of the required process that correspond to information removed by the terminal from a credit card. For example, in the case of Trojan.POSRAM , the malicious code collects this data from the pos.exe process, writes it to the system file and sends it to a remote server as needed.
The FBI report mentions the malicious tool Alina, which can be used by attackers to gather data from the necessary process. It also has a feature update feature that can make it more difficult to detect.
One of the Trojan.POSRAM samples is on VirusTotal and has a detection level of 33/50 .
Source: https://habr.com/ru/post/210310/
All Articles