BlackPOS or Interprocess communication hook malware is a type of point-of-sale malware or spyware program which was specifically designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. This is very different from the normal memory-scraping malware that scrapes all the data and needs filters to extract the target data. This specifically hooks into the track information, thus it is called an interprocess communication hook. Once this malware gets installed it looks for the pos.exe file in the system and parses the content of the track 1 and track 2 financial card data. The scraped data is then encoded with a base64 algorithm and stored to the magnetic strip on the back of the card. The encoded data is then moved to the second machine through SMB . Blackpos is the malware which was involved in the Target Corporation data breach of 2013.
Contents
History
The BlackPOS program first surfaced in early 2013 and affected many Australian, American, and Canadian companies, such as Target and Marcus Neiman, that had incorporated point-of-sale systems into their companies. The virus, also known as 'reedum' or 'KAPTOXA', was originally created by 23 year-old Rinat Shabayev and later developed by 17 year old teenager, Sergey Taraspov, or better known by his online name, 'ree4'. The original version of BlackPOS was sold on online black market forums by Taraspov for around $2000 but became cheaper and more readily available once the source code for the malware leaked onto the web.
How It Works
BlackPOS infects computers running on Windows operating systems that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. BlackPOS is a standard memory-scraping malware, with exception that the virus is only limited to the pos.exe files in the infected POS system. Once the desired POS system is infected, the malware pinpoints the process corresponded with the card reader and steals payment card Track 1 and Track 2 data, the information stored on the magnetic strip of payment cards, from its system's memory. Once stolen, the information can be cloned onto blank credit cards to be sold for black market use or used for personal reasons. This results in the consumer personal information being compromised and usable by anyone with access to the information. Unlike other POS malware, such as the vSkimmer, BlackPOS does not have an offline data extraction method, as the captured information is uploaded to a remote server online. This makes it easier for hackers as they do not need to be in the proximity of the infected systems to retrieve consumer information. Furthermore, hackers may try hide the virus from detection by programming BlackPOS to only send stolen information during certain time frames. By doing so, they can mask the traffic the information creates during normal work hours, making it seem as if nothing suspicious is going on.
Incidents
BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack occurred back in 2013 to the mega-store chain, Target.
Target
During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the mega-store became aware of the breach in their security. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen from its mainframes. In the end, about 1800 U.S. Target stores had been affected by the malware attack.
Neiman Marcus
Target, however, was not the only business affected by this software. Neiman Marcus, another well-known retailer, was affected as well. Their computer database were said to be infected in early July 2013 and was not fully contained until January 2014. The breach is believed to involve 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected, among other things. Companies, such as UPS, Wendy's and Home Depot, have also claimed to have been affected by BlackPOS as well, although there have been reports that state that the breaches were not caused by malware virus.
Detection
There are two ways to detect BlackPOS activity in POS systems based on how the malware works:
Transfer of Encoded Track Data
The first strategy to detect BlackPOS uses the fact that the first 15 characters of stolen track data always consists of digits. As a result, there are only a limited amount of combinations that can be produced, which means that there is a predictable pattern that can be followed. In addition, the encoding outputs from "000" to "999" result in a string that always begin: “M1”, “Mf”, “Mh”, “Ml”, “T1”, “Tf”, “Th”, “Tl”, “sh”, or “sl”.
SMB Writes to Drop Location
The second way to identify BlackPOS's network activity is by its dropping of a file to a specific location using a fixed filename format. An example given by "Security Intelligence" checks if a file has a path and name that matches the format below is being written: WINDOWS wain_32*_*_*_*.txt The strategy can be demonstrated with the following OpenSignature rule: alert tcp any any -> any 445 (msg:"KAPTOXA File Write Detected"; flow:to_server,established; content:"SMB|A2|"; content:"|00|W|00|I|00|N|00|D|00|O|00|W|00|S|00||00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00|"; pcre:"/.*_.*_.*_.*.|00|t|00|x|00|t/"; sid:1;)
Prevention According to the PCI Security Council, businesses should keep their malware prevention software updated frequently to lower the chance of infection. In addition, system logs should be regularly checked for irregular activity within servers as well as monitoring for large data files being sent to unknown sources. Companies should also require that all login credentials be updated regularly and provide instructions on how to create safer and more secure passwords.