US Retailers are now the target of the “TreasureHunt”, a malware that steals credit card details from point-of-sale (POS) systems. The malware targets POS systems that accepts payments through swiping of cards. It does not target newer payment systems that accept only chip-based or pin-based cards.
US Retailers and others world-wide have been warned and instructed to switch to chip-based card acceptance systems due to the vulnerabilities in swipe-based systems. Cyber criminals are rushing to make use of this vulnerability to steal data while they still can. Once the payment card data has been stolen, cybercriminals can use them to create cloned cards and then use them to make purchases.
How Malware Implantation Occurs
When a transaction take place in a POS device the data gets stored in the RAM memory in plain text for a certain period. TreasureHunt malware is a RAM memory scraping malware that accesses these data and then employing “exfiltration” sends them to command and control (CnC) servers via HTTP POST. The stolen payment card information is then accessed through an interface on the CnC server.
Cybercriminals implant malware in the POS devices by exploiting networks with ineffective POS security configuration and through remote access that does not have sufficient security. They gain access through brute-force attacks, and also by using stolen credentials that they have somehow obtained earlier. Once installed, the POS RAM scrapers rename themselves with names that sound like genuine processes.
TreasureHunt Malware Discovery
According to malware analysts at the cyber security company, FireEye, who had first observed this malware, this malware has been named “Treasurehunt” due to mention of its name in its binary code. Over a period of time from 2014 to 2016 different versions of TreasureHunt have emerged. The malware code also refers to “BearsInc”, a group or actor that sells stolen payment card information on underground forums that are dedicated to credit card fraud. The mention of the “BearsInc” name could mean that the TreasureHunt had been developed for a particular plan or operation, and cybercriminals seem to be rushing with more attacks before magnetic-strip based credit cards are not accepted for payment anywhere. The author of TreasureHunt malware seems to go with the alias of “Jolly Roger”.
Ensuring POS Security against Malware Threats
There are ways to ensure POS Security in devices, and not following them is a risk of the merchant and the user. In plain terms PCI DSS has announced certain important requirements for POS devices to accept data. Notably, a well-maintained firewall, an updated anti-malware product with updated definitions, changing default passwords, encrypting data during transmission, and protecting card information. While the Treasure hunt is able to attack only magnetic-strip-based card data, in the future, hackers may find out ways to access even chip-based data. Advanced POS malware security solutions such as Comodo’s SecureBox Cloud Based POS system will help securely containerize the POS application, and provide cloud-based scanning to protect the POS device data from TreasureHunt malware and other POS malware. And as a precaution users should immediately and proactively switch to chip-based credit cards.