Cybercriminals used two strains of POS payment terminal malware to steal information from over 167,000 credit cards worth more than $3.3 million. The backend C2 server that runs the MajikPOS and Treasure Hunter malware is still operational, which has resulted in an increase in the number of victims.
The threat intelligence unit discovered the C2 server in April and discovered that the information of thousands of credit card holders was stolen between February 2021 and September 8, 2022.
Key figures
Almost all of the victims are Americans who have credit cards issued by American banks.
- Group-IB examined around 77,400 card dumps from the MajikPOS panel and another 90,000 from the Treasure Hunter panel after a thorough examination.
- 97%, or 75,455 cards, were issued by US banks, while 86,411 of the cards compromised by MajikPOS were issued by the Treasure Hunter panel.
The researchers turned over the information to US-based law enforcement agencies, however, they have not linked the payment terminal malware to any specific criminal organization.
The malware infection
Infected Windows POS terminals are scanned by the MajikPOS and Treasure Hunter malware to take advantage of the times when card data is read and stored in plain text in memory.
- Treasure Hunter does RAM scraping. It searches the register's memory for magnetic-stripe information swiped from a customer's bank card during checkout.
- Infected computers are furthermore scanned by MajikPOS for card information, which is then transmitted back to the C2 server of the malware's developers.
- MajikPOS has a more visually appealing control panel, an encrypted communication channel with C2, and more structured logs when compared to Treasure Hunter.
More about MajikPOS and Treasure Hunter
- MajikPOS is the most recent of the two POS payment terminal malware strains utilized in this attack, having started to target devices in 2017.
- The MajikPOS database tables contain information about the infected device's geolocation, operating system name, and hardware identification number.
- To infect a store with MajikPOS, cybercriminals search networks for open and ill-protected VNC and RDP remote-desktop services. If they find any, they force their way in, purchase access to or credentials for these systems, or both.
- Treasure Hunter debuted in 2014 before its source code was leaked on a Russian-language forum. Its main purpose is RAM scraping malware, and it is most likely installed in the same manner as MajikPOS.
Closing lines
Businesses and people who use credit cards as their primary method of payment processing continue to face a serious threat from POS malware. Organizations are needed to deploy the right security framework to ensure the safety of their users or customers.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_205806613.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5af6_shutterstock_1935675589.jpg)
