201303-BlackPOS

This is information on a capability, not details on a specific breach.

March 2013 Point Of Sale Skimmers (BlackPOS)

BlackPOS is malware that infects unpatched computers running Windows that have attached point of sale scanners. The malware that copies charge card data and transmits it for criminal use.

Group-IB, a security and computer forensics company based in Russia, has identified five such infections in the past six months. The most recent one had a video demonstration of its control panel published by the malware’s author. The video suggests that payment cards issued by U.S. banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank, have already been compromised. Group-IB has identified the live command-and-control server and has notified the affected banks, VISA and U.S. law enforcement agencies about the threat. PC World article
 
Detect and remove BlackPOS  per Enigma Software   per SpyWareRemove.com

2/04/2014 Krebs interviews two BlackPOS researchers.

http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer/

8/29/2014 New variant seem

TSPY_MEMLOG.A has several new capabilities including masking itself as an antivirus (AV) tool. It still scrapes the memory (RAM) where the consumer credentials exist in plain text. By listing running processes it can optimize its performance by excluding processes known to not contain the desired information. Excluded are common processes such as smss.exe services.exe svchost.exe spoolsv.exe ctfmon.exe explorer.exe and some common applications including browsers firefox.exe and chrome.exe. Also contained in this new variant are some non-code text containing strong anti-American opinions.

Read the article from TrendMicro. They also publish an easy-to-read 18-oage white paper on point of sale breaches that describes ALINA, vSkimmer, Dexter, FYSNA (also known as Chewbacca), Decebel, as well as BlackPOS

9/07/2014 Home Depot hit by BlackPOS.

Clues buried within this newer version of BlackPOS support the theory put forth by multiple banks that the Home Depot breach may involve compromised store transactions going back at least several months. In addition, the cybercrime shop … over the past few days [early September 2014] pushed out nine more large batches of stolen cards onto his shop, all under the same “American Sanctions” label assigned to the first two batches of cards that originally tipped off banks to a pattern of card fraud that traced back to Home Depot. Likewise, the cards lifted from Target were sold in several dozen batches released over a period of three months … shop. Read whole article from Krebs on Security

[text in square brackets are ours -ed]

More on skimmers

 
 

Return to 2013 details page
Year links page
Return to References page