SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Feb 2018

PoS malware steals credit card data via DNS requests

Malware hunters from US security firm Forcepoint have stumbled across a new strain of Point of Sale (PoS) malware, the second such type of PoS malware that hides stolen credit/debit card information inside DNS requests.

The first PoS malware that was first seen employing this technique was a lesser known version of the NewPosThings PoS malware, named MULTIGRAIN, discovered in April 2016 by fellow US cyber-security firm FireEye.

But while MULTIGRAIN had been used in real-world attacks, Forcepoint says it did not find any evidence suggesting this new strain of PoS malware, named UDPoS, has made any victims as of yet.  According to Forcepoint's Robert Neumann and Luke Somerville, UDPoS appears to be less sophisticated than recent strains of PoS malware, suggesting the individual/group behind it might just be taking the first steps in the realm of PoS systems.

The coding style and techniques seen within the malware can hardly be described as outstanding. Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware and, equally, there are more advanced ways of fingerprinting a PC and generating a report. That said, the method used in this sample does appear to get the job done.

These observations are important because most recently-detected strains of PoS malware are highly complex pieces of code, usually working in the computer's memory to avoid the detection of on-disk resources by security software.

The faulty or unsophisticated code, along with the reliance on on-disk artifacts suggests the threat actor behind UDPoS is largely unsophisticated, or inexperienced when it comes to interacting with PoS systems.

No real-world detections of infected systems

This lack of experience is probably the main reason why the threat actors did not manage to get off to a good start with UDPoS. Forcepoint says it detected two "lures" that carried the malware. In one case the malware was hidden inside a LogMeIn installer, and in the other, inside a package advertising Intel upgrade services.

Both packages were detected last year, in October. The lack of any recent samples can mean two things. Either the UDPoS author gave up, or he found a way to avoid detection by security software.

In spite of the scathing review Forcepoint researchers gave some of UDPoS' code, it cannot be ruled out that threat actors found a way to upgrade their codebase with improved features.

Malware that hides data inside DNS requests is rare, mainly because it is hard to get it right. UDPoS threat actors are certainly smart enough if they implemented such a complex data exfiltration system, so don't be surprised if an improved version of UDPoS pops up in card breach incidents at hotel or restaurant chains in the future.

Tags:
information leaks fraud
Source:
BleepingComputer
1445
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015