Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Numaan Huq (Senior Threat Researcher)

    2014 became the year that placed PoS (point-of-sale) threats in the spotlight. Make no mistake—PoS threats have existed for years. However, the Target data breach last January was the first incident that made the general public notice this threat.

    2014: the Year of PoS Malware

    While the Target breach may have been the first PoS-related incident of 2014, it soon became clear that it wouldn’t be the last. By the end of the third quarter of the year, six new variants of PoS RAM scraper malware were found—the same number of variants found between 2011 to 2013.

    What makes this development more interesting is that these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.  For example, Backoff is a predecessor of Alina. Backoff was reported to have been used in attacks aimed at Dairy Queen and United Parcel Service (UPS).

    This is not to say that these were the only variants that were active in 2014. The much publicized breach experienced by Home Depot was linked to a known PoS family called BlackPoS—the same malware family used in the Target data breach. PoS malware was also spotted right before Thanksgiving weekend in the US—the weekend known for holiday shopping. Another PoS malware, called LusyPoS, was seen in Russian underground forums.

    PoS-related Activities in the Underground

    Due to the growing popularity of PoS RAM scrapers as a tool for quick monetary gain, development kits promptly started surfacing in the cybercriminal underground. One such tool is VSkimmer, a builder tool for PoS RAM scrapers that emerged in 2013.

    After stealing credit card data via RAM scrapers, most scammer then proceed to sell the stolen credit cards in batches in forums. Transactions are completed using Bitcoins, Western Union, MoneyGram, Ukash, and WebMoney, among others, as these offer convenience and anonymity to both buyers and sellers.

    Much like legitimate businesses, supply and demand affects the underground heavily. Different card brands have different unit prices in the underground carder marketplace based on availability and demand. Buying credit card data in bulk reduces the unit price, in some cases by up to 66%.

    One curious discovery is that the unit price of Discover and American Express (AMEX) cards is higher than the unit price of Visa and MasterCard cards. This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, there is no definite reason why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data.

    Expanded Targets

    The expansion of PoS-related activities in 2014 also saw the expansion of targets. Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots.

    Researchers from security firm Census presented data about PoS attacks targeting travelers at airports. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. The researchers were able to craft a simple attack that allowed them to scrape passenger information from these kiosks. Security firm IntelCrawler talked about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities.

    Parking lots/garages became a popular target for scammers to steal payment information. A U.S. parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities. Another parking service, Park ‘N Fly, also suffered a data breach that saw stolen information used in schemes involving fraud. Another service,, was the victim of the cybercrime gang behind the Target and Home Depot breaches.

    The Future of PoS Attacks

    So what does the future hold for PoS attacks?

    With PoS RAM Scrapers becoming prominent threats, big businesses will be investing heavily into cybersecurity to prevent targeted attacks of this type. Cybercriminals will thus refocus on SMBs (small-medium businesses) as these may not necessarily have the cybersecurity budgets enterprises have to prevent PoS breaches. We will see a high volume of SMBs get compromised and collectively that might account for a bigger breach than compromising Enterprises.

    Implementation of new measures like the new Europay, Mastercard and Visa (EMV) standards and the PCI DSS v3.0 compliance standards will significantly change the PoS playing field for cybercriminals. These two measures will come into full effect by October 2015— expect to see a decline in PoS data breaches as the cybercriminals attempt to figure out new efficient hacks into the upgraded systems and environments. It might take them a couple of months, possibly well into mid-2016, before they can start fully breaching the PoS environments again.

    Given all of the above, cybercriminals are sure to find new methods for data breaches via third-party vendors who have access to enterprise/corporate networks. These will remain the weakest link in the chain and the ones which will be exploited the most as they will not have the same level of security as enterprises.

    There has been a lot of law enforcement agency focus on investigating these data breaches but so far, no big arrests have been made. Some of these agencies will be closing investigations and making arrests that will make headlines.

    Posted in Malware |

    The celebration of Thanksgiving and Black Friday last week marks the start of the holiday shopping season for majority of the world. For most, this means vacations, family, friends, traveling, and of course, shopping. This is also the time for watching feel-good holiday movie reruns on television. One of my favorite movies is a Steve Martin comedy from the ‘80s called “Planes, Trains & Automobiles.” This blog post is not about that movie but it does borrow heavily from its title.

    PoS Malware, Now Mainstream

    It should be remembered that it was around this time last year that U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware. Since the start of this year, point-of-sale or PoS malware have become mainstream and attacked merchants both big and small. 2014 is also the year when we saw PoS malware mature as a threat. New PoS threats have emerged in time for this year’s holiday shopping season and we even managed to get a peek inside a PoS scammer’s toolbox.

    PoS malware have been mostly constrained to retailers and merchants, but it now looks like PoS malware have branched out from shopping malls to airports, metro stations, and parking lots.


    Researchers from security firm Census presented an interesting paper about point-of-sale attacks targeting travelers at DEFCON2014 last August. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. Their investigations were carried out inside an airport in Greece. They targeted a centrally located kiosk in the terminal’s public space. The kiosk supported functionality for passengers to purchase Wi-Fi credits, make VoIP calls, and scan their tickets to check flight times. They found the kiosk had Internet connectivity, exposed USB ports, poor keyboard input sanitization, no installed antivirus software, and administrator privileges.

    The researchers created custom malware and infected the kiosk using a simple web attack. Airlines use the Bar Coded Boarding Pass (BCBP) on tickets, which contain passenger information; BCBP specifications can be found using a simple Google search. The scanned BCBP data—either printed ticket or QR code on mobile phones—is decoded in the kiosk’s RAM. Knowing the BCBP format allowed the researchers to scrape the data from the kiosk’s RAM using the same techniques PoS RAM Scrapers use to steal payment card data. Their experiments demonstrate an attacker could easily infect the kiosks with payment card data stealing PoS malware.


    Security firm IntelCrawler recently blogged about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities. IntelCrawler displayed a picture of a compromised ARST ticket-vending kiosk in Sardinia, Italy. The attackers gained access into the ticket-vending kiosk using Virtual Network Computing (VNC). Customers purchase bus and train tickets from these ticket-vending kiosks, making them lucrative targets for harvesting payment card data. One of the recently discovered PoS RAM scraper families, NewPosThings, attempts to harvest VNC passwords from compromised systems. Other PoS RAM scrapers like BrutPOS and Backoff use Remote Desktop Protocol (RDP) to access the compromised systems.


    News came out last week on Friday that a professional parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities in the US. A third-party vendor maintains the parking facility’s payment card systems. The attacker used the third-party vendor’s Remote Access Tool (RA) to gain access to the payment processing systems. The attacker then installed malware that harvested the payment card data collected at the parking facilities. The third-party vendor was not using two-factor authentication for remote access, which made it easier for the attacker to gain entry and exploit the systems. The company’s parking facilities were infected in Chicago, Cleveland, Evanston, Philadelphia, and Seattle—basically, a coast-to-coast infection.

    New Targets

    From these three cases, we can make the following observations:

    • The cybercriminals are incorporating remote administration functionalities in the PoS malware. This is because the RAT + RDP/VNC functionality allows them entry into payment/e-services kiosks.
    • Any Internet-connected device that processes payment card data should be viewed as a target, regardless of its location. Users should never assume that e-service kiosks in airports, train stations, or even parking lots have the same or right level of security as in other kiosks.
    • In a connected world, security policies need to transcend borders. The responsibility of security rests on several key players: the device manufacturer, the service providers/vendors, and even the banks and credit card brands–all to protect consumers.

    Additional information and appropriate solutions for PoS malware can be found in our paper, “PoS RAM Scraper Malware: Past, Present, and Future.”

    Update as of December 17, 2014, 12:08 PM PST

    Reports say that a data breach recently hit another parking service or some component of its online card processing system. The Atlanta-based offsite airport parking service, Park ‘N Fly, allows customers to reserve parking spaces slots via an online reservation system. According to Park ‘N Fly’s statement: “While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.”

    Park ’N Fly provides parking related services all over the United States and owns, leases, and manages 16 off-airport parking properties in 14 markets, in addition to operating a network for pre-booked parking for 85 affiliates across the US.

    Posted in Malware | Comments Off

    The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers.

    Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen.

    In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows.

    Figure 3-01

    Figure 1.The evolution of the PoS RAM scraper family

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off

    While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. (The contents of this archive are detected as TSPY_POCARDL.AI and SPYW_CCVIEW.)

    It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards. The cracked Card Recon software I found in the RAR archive dates back to 2011:

    Link date: 9:14 AM 3/11/2011
    Publisher: Ground Labs
    Description: PCI DSS CHD Scanner
    Product: Card Recon
    Prod version: Release 1.14.7
    File version: Release 1.14.7
    MachineType: 32-bit

    Hunting for other samples using this cracked version of Card Recon returned more archive files; two interesting ones in the lot were a RAM scraper bundle and a keylogger bundle. Bad guys using a commercial DLP solution wasn’t that surprising, but it got me thinking: why validate? Aren’t the regexes used to collect the data enough?

    The short answer is the criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.

    We first need to understand payment card numbers (i.e., debit and credit card numbers) in some detail. The format of these numbers is specified in ISO/IEC 7812. The 16-digit numbers used have the following format:


    The first six digits of the card is known as the Issuer Identification Number (IIN), and the very first digit of the IIN is the Major Industry Identifier (MII). The major card networks – Visa, MasterCard, Discover, and American Express (AMEX) – all have unique IIN ranges that identifies which institution issued the card. The individual account number is of variable length (up to 12 digits) and final digit, C, is a check digit calculated using the Luhn algorithm.

    The Luhn algorithm is a simple checksum formula (defined in the ISO specification), which is designed to catch any errors in the previous 15 digits. All 16 digits are stored in the magnetic strip of the card in distinct magnetic tracks (Track 1 and Track 2), together with other information needed to process transactions. All this is defined in ISO/IEC 7813.

    The precise definition of how the Track 1 and 2 data is stored on cards allows POS RAM scraper malware to use regular expression (regex) patterns to search for these in RAM. Here’s an example regex for finding Track 1 data:


    Depending on the complexity of the necessary regex, it might also incorrectly capture garbage data from RAM in addition to the target data. A well-defined regex will return clean results, but may be computationally expensive compared to a looser regex. When the goal is to capture data from the RAM quickly, efficiency is more important than quality, especially when the validation can be done offline on the exfiltrated data.

    Remarkably, though, there are some purist malware authors who believe in writing good code. One such POS RAM scraper example was written in Visual Basic and actually implemented the Luhn algorithm:

    Figure 1. Implementation of Luhn algorithm
    (Click image to enlarge)

    The malware will use the regex to capture data from the RAM and then use the function Luhn to validate the data. This function takes a string as input and returns a Boolean value: true or false. Invalid data is discarded, and the malware exfiltrates only valid results.

    While this code is functional, it’s not particularly suitable for high-volume data collection: it’s just too computationally intensive. Using an offline DLP solution like the cracked Card Recon is ideal. If you recall the massive Target data breach from last year, pragmatically validating 70 million payment cards is best done outside any compromised network.

    Going back to the POS RAM scraper with cracked Card Recon software, I discovered that the DLP tool identifies (using IIN) the following cards: AMEX, Discover, Diners Club, JCB, Visa, MasterCard and Test/Others. The “Test/Others” checks the numeric string is Luhn-valid, but doesn’t map it to any specific card brand.

    I used an online fake credit card number generator to generate different brands of Luhn-valid credit card numbers and then used the Card Recon DLP tool to scan my drive for valid credit card numbers. (It should be noted that the DLP tool only validates the payment card number and not the entire Track 1 and 2 data.)

    Figure 2. Cracked Card Recon tool

    The tool incorrectly identified some Python libraries as containing Luhn valid test credit card numbers, which supports the point I made previously about regexes misfiring and collecting garbage data. To a carder the full package: account number, expiry dates, CVC1/CVV1 codes found in Track 1 & 2 are extremely important. Combined, these fetch a higher price in the underground carder marketplace compared to the card number alone. They use regexes to collect both Track 1 and 2 data, and validating the captured card numbers theoretically implies that the rest of the data is valid as well.

    Figure 3. Files detected by Card Recon
    (Click image to enlarge)

    One may then ask: is all this information valued equally in the underground marketplace? Surprisingly, the answer is no, and it all has to do with supply and demand.

    Our recent revisit of the Russian underground showed how the price of credit cards in the underground marketplace has declined over the years. However, the variation in prices of different brands of credit cards still exists. Checking various carder sites I found some representative prices for “validated” US -based credit cards:

    Table 1. Card prices (per card, in US dollars)

    Two things to take away from this. First, buying credit card data in bulk reduces the unit price, in some cases by up to 66%. Secondly, the unit price of Discover and AMEX cards is higher than the unit price of Visa and MasterCard cards.

    This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, I failed to find good reasons as to why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data. Is it because compromised AMEX and Discover cards are less likely to be detected? Do they carry larger credit limits? They are accepted with a higher level of confidence? We can’t say for sure.

    From this investigation we conclude:

    • POS RAM scraper malware regexes used to collect Track 1 and 2 data are observed to be computationally lightweight. This may be to cope with the high volume of data being processed, and to remain stealthy. Exceptions to this obviously exist, but the mainstream RAM scraper families generally don’t implement Luhn validation in code.
    • Card data validation is usually done offline on the exfiltrated data using readily available hacked/cracked DLP tools e.g. Card Recon or using homebrew tools. In addition to validation, the carders also separate out the different card brands.
    • Different card brands have different unit prices in the underground carder marketplace based on availability and demand.

    Update as of 12:35 AM PDT, June 4, 2014

    Ground Labs, the publisher of Card Recon, has released a blog post discussing the modified versions of their software used by cybercriminals. They reiterated that legitimate copies of Card Recon should only be downloaded from their website or their partners.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice