Point of sale malware found – could be in the wild, claims security company.
New malware that steals data from payment cards has been detected in point of sale (PoS) terminals.
According to a blog post by IT security company Forcepoint, the malware is disguised as a LogMeIn service pack that generates “unusual” DNS requests.
Further investigation found that the malicious code was designed to steal magnetic stripe payment card data, rather than lift data from the more secure Chip and PIN system.
Dubbed UDPoS by Forcepoint, owing to its heavy use of UDP-based DNS traffic, the malware’s probable targets include restaurants and hotels, said researchers.
At this stage it is unclear to what extent the malware has been released into the wild. However, the coordinated use of LogMeIn-themed filenames and C2 URLs, coupled with evidence of an earlier Intel-themed variant, suggest that it may have been, said Forcepoint.
Malware not advanced
Forcepoint said that it has been in contact with LogMeIn throughout the investigation to determine whether its products or services may have been abused as part of the malware deployment process, but no evidence of this has been found.
“It appears that the use of LogMeIn-themed filenames and C2 domains by the actors behind the malware is a simple lure and ‘camouflage’ technique,” said Forcepoint’s researchers.
They added that the malware is not as advanced as LockPOS and doesn’t appear to work as intended. “It seems it’s looking for specific AV and virtual machine software to shut down, but it only works for one type at the moment.
“It is unclear at present whether this is a reflection of the malware still being at a relatively early stage of development/testing, or a straightforward error on the part of the developers.”
Forcepoint explained that under normal circumstances a good firewall would detect and prevent DNS exfiltration, while “thoughtful patching and administration practices would stop the unusual service pack being installed”.
Internet of Business says
Researchers said that UDPoS highlights that fact that exfiltrating stolen credit card data can, and will, result in unusual patterns of activity on the machines (in this case, DNS traffic). By identifying and reacting to these patterns, businesses – both PoS terminal owners and suppliers – can close down this type of attack swiftly.