Trend Micro security researchers have announced the finding of MagikPOS, a point of sale malware known to attack businesses across the world.
According to them, this malware has been around since January this year, and over 23,000 credit cards across US and Canada have had their information exposed to criminals in the process. It is believed that this malware will continue to make the rounds in North America, although an international expansion is not unlikely either.
This particular type of malware has researchers concerned, even though it is not exactly unique. Several similar types of malware have been discovered in recent months, all of which attempt to steal credit card data from point of sale devices. However, one big difference is how MagikPOS is deployed in an entirely different fashion. All victims who suffer from an attack by this malware are mapped out in advance, indicating the criminals behind MagikPOS carefully select their targets before making a move.
Interestingly enough, the MagikPOS malware is not distributed through physical access to the point of sale devices in question. Instead, the developers distribute it after they successfully infiltrate computer systems with a remote access trojan. So far, all of the victims have had such a RAT compromise their systems between August and November of 2016. Each of these remote access trojans helps the criminals in determining whether or not their chosen target is worth exploiting further.
Assuming the victim is a valuable target, the criminals then proceed to use a mix of different tools to get MagikPOS into the computer systems. So far, they have used a mix of remote desktop connection and FTP tools to install the malware itself. Finding a system that can be exploited without compromising the payload is the number one objective, albeit it is easier said than done. So far over 23,000 credit cards having their information extracted due to this malware.
To be more specific, the malware extracts track data from every individual payment card it can access. This information includes the PIN code, allowing the criminals to sell this information on the darknet as so-called “credit card dumps”. Researchers believe all major card issuers are vulnerable to this malware, including American Express and Diners Club. This type of information can fetch a good price on the darknet, especially when it contains all of the necessary information to make a clone of the original credit card.
For the time being, it remains unclear who might be responsible for creating the MagikPOS malware. Considering how it is written in the .NET programming language – which is extremely rare among malware authors – it is likely researchers have never dealt with this adversary before. However, this does not mean the coders created a bug-free solution either. Further research is needed to determine whether or not a solution can be found to counter this malware altogether.