A new kind of point-of-sale (POS) malware is presently active across North America and Canada. Dubbed by cyber security experts as MajikPOS Malware, it is a variant of FastPOS and ModPOS – POS data stealing malware. Since January 2017 it is believed to have stolen data of more than 23,400 credit cards, while the infection campaign had been on from as early as August 2016.
MajikPOS Malware differs from other similar POS malware by its complex modular approach. Its primary motive is RAM scraping to steal card data and for that, it uses a remote access Trojan (RAT). The RAT is first used to determine whether further infection of the infected system would be fruitful.
To initiate the infection, the cyber criminals utilized Virtual Network Computing (VNC), Remote Desktop Protocol (RDP), insecure and guessable login credentials, RAT, FTP and a modified Ammyy Admin RAT. This helps in gaining access into the POS systems.
Once the MajikPOS Malware installs itself in the system, it contacts its command and control server (C&C server), and the server sends back configuration details. A component named as Conhost.exe does the RAM scraping and steals the track data on the credit cards, and then sends it to the C&C server.
The stolen data is being sold at “dump shops” for as little as $9 to $39 per card, and in bulk packages for up to $700 for 100 cards. An attacker called as “MagicDumps” has been providing the locations of the latest dumps. And these seem to be in the US and Canada.
MajikPOS Malware Specialities
The MajikPOS is unique in the sense that attackers wrote the malware in .NET. It also uses encrypted communication which makes it very difficult to detect. Further, the malware also hides behind Windows OS file names, to seem authentic and escape the scrutiny of Antivirus Software.
The reason for the success of this malware could be attributed to the slow adoption of chip-based credit cards. MajikPOS malware has been targeting magnetic strip-based credit and debit cards. Merchants across the US are increasingly adopting chip-and-pin credit cards with end-to-end encryption (EMVs) due to the implementation of the EMV Liability Shift in 2015, and the concern to move to a more secure standard; however, the US lags much behind Europe in terms of adoption rate.
Just upgrading to the chip-and-pin credit cards is not enough. The EMV Chip-and-PIN credit cards must be properly configured. Now, even though many merchants have installed EMV Chip-and-PIN Point of Sale machines, many have not yet configured the PIN acceptance systems.
It is not that the EMV Chip-and-PIN cards will always stay 100% secure. It is just that it will take some more time for cyber thieves to break through EMV systems. However, card payment processors report a decline in card fraud after the adoption of EMV Chip-and-PIN cards and POS systems.
How To Stay Secure against MajikPOS Malware