Pro PoS - Malware Could Steal Your Christmas

The point of Sale systems are the most tempting target for cyber crooks to steal your credit card information and with this Christmas, you need to be more careful while using your credit cards at retailers and grocery stores.

Here's why…

Cyber criminals are now selling a new powerful strain of Point of Sale (PoS) malware through underground forums.

Like several POS malware families discovered last year, including vSkimmer and BlackPOS, the new malware is also designed to steal payment card data from the infected POS systems and support TOR to hide its C&C (Command and Control) servers.

Pro PoS – Light Weight, Yet Powerful Malware

However, the new malware, dubbed "Pro PoS," packs more than just a PoS malware.

Pro PoS weighs only 76KB, implements rootkit functionalities, as well as mechanisms to avoid antivirus detection, according to threat intelligence firm InfoArmor.

What's even more interesting about this malware is…

Pro PoS integrates a polymorphic engine that lets the threat generate a different signature for each malware sample – a measure designed to foil security defences.

InfoArmor warned that cyber crooks were actively using the current version of Pro PoS Solution in an effort to target PoS systems used by large retailers and SMBs in the United States and Canada specifically.

Pro PoS Malware found in the Wild

The developers of the Pro PoS malware are believed to be hackers from Eastern Europe, according to the security firm.

On November 27 (Black Friday), researchers at InfoArmor noticed a significant increase in the price of the Pro PoS Solution, which was offered at $2,600 for a six-month licence.

The developers of Pro PoS have designed their malware in such a way that it infects the principal operating systems, including newer operating systems, used by the companies in the retail environment.

Russian UnderGroud VSkimmer Botnet Targeting E-Payment

A new botnet emerged from underground and is menacing payment world, the cyber threat dubbed vSkimmer come from Russia according revelation of McAfee security firm. 

The security expert Chintan Shah wrote on a blog post that during monitoring of Russian underground forum found a discussion about a Trojan for sale that can steal credit card information from Windows PC for financial transactions and credit card payments. 

vSkimmer agent is able to detect card readers on the victim’s machine and gather all the information from the Windows machines sending it to a remote control server encrypting it (Base64).

The malware collects the following information from the infected machine and sends it to the control server:

• Machine GUID from the Registry
• Locale info
• Username
• Hostname
• OS version

The vSkimmer malware indicated as the successor of the popular Dexter, a financial malware that targeted Point-of-Sale systems to grab card data as it transmitted during sales flow.

Dexter is responsible for the loss of nearly 80,000 credit card records and data breach of payment card data of Subway restaurants in 2012.

According security researchers at McAfee vSkimemr appeared in the underground forum since February and it could be an ongoing project.

vSkimmer appears more sophisticated of Dexter despite it is easier to use, vSkimmer is an advanced tool to steal credit card data from Windows hosts.

Exactly as its predecessor Dexter, vSkimmer is completely undetectable on the compromised host. vSkimmer waits for a named USB device to be attached to the compromised machine and once detected it the malware dumps the collected data to the removable device. 

“vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.”

To be precise on Track 2 was stored card number, three-digit CVV code, and expiration date are stored, all necessary to qualify card in payment processes.

On credit card information grabbing the post states:

“VSkimmer maintains the white listed process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the white list, it runs Open Process and Read Process Memory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the white list.”

VSkimmer demonstrated the great interest of cyber crime in payments sector institutions have already been attacked in the past by malicious code such as Zeus and SpyEye and this case is just “another example of how financial fraud is actively evolving and how financial Trojans were developed and passed around in the underground community.” This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post, I found really interesting the fact that the offer of similar malware in the underground is increasing and their model of sale is reaching level of excellence never seen first ... we face difficult times.