Future Fraud Trends

Beware of 'BlackPOS' malware in data breaches

On Sept. 15, a U.S. judge certified a class action suit against Target, which several banks brought against the corporation in the wake of its massive 2013 data breach. (See the Sept. 15 Reuters article by Joseph Ax.) Retailers like Target, Home Depot and Albertsons, among many others, are still paying for deficient security systems that allowed the "BlackPOS" malware (also known as "RAM Scraper" or "Kaptoxa") to infiltrate "point of sale" (POS) card swipe machines at cash registers and steal personally identifiable information (PII).

Hackers and cybercriminals are still developing variants of this devious malware, partly to circumvent EMV or chip cards. (Fraud Magazine will cover EMV technology in a future issue. Also see What CFEs should know about the U.S.'s approaching smart card transition, by Zach Capers, CFE, The Fraud Examiner. – ed.)

BlackPOS disguises itself as an installed service of a known anti-virus vendor software to avoid being detected and, consequently, deleted in the infected POS system.

Cybercriminals have various options. They can run this malware with the name of the infected anti-virus company with the company's "Framework Management Instrumentation," or they can use the uninstall option to delete the anti-virus software. (Framework Management Instrumentation is infrastructure for management data and operations on Windows-based operating systems.)

The RAM scraping routine begins as a thread (the process of communicating with the "3C server" and the infected system terminal) when the installed service begins. (The 3C server — "Command and Control Center" — is the centralized computer that issues commands to a botnet and receives reports back from the affected terminal.)

It can only start its main routine after breaking the firewall and registering the malware. Like all POS malware, BlackPOS checks the terminal's memory for sensitive information to steal. However, even here, BlackPOS shows some sophistication; for example, some variants are only set to carry out information theft between 10 a.m. and 5 p.m. Any stolen information is stored in a .TXT or .DLL file depending on the variant.


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.