2 weeks ago

brand-new Point-of-Sale Malware Steals Credit Card Data via DNS Queries


Cybercriminals are becoming more adept, innovative, in addition to stealthy with each passing day. They are right now adopting more clandestine techniques that will come with limitless attack vectors in addition to are harder to detect.

A brand-new strain of malware has right now been discovered that will relies on a unique technique to steal payment card information by point-of-sale (PoS) systems.

Since the brand-new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed the idea UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that will has been used by most POS malware from the past. that will malware is actually also thought to be first of its kind.

Besides using ‘unusual’ DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update by LogMeIn—a legitimate remote desktop control service used to manage computers in addition to various other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls in addition to various other security controls.

“We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests,” Forcepoint researchers said in a blogpost published Thursday. 

“Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.”

The malware sample analyzed by the researchers links to a command in addition to control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is actually a self-extracting archive containing the actual malware.

the idea should be noted that will the UDPoS malware can only target older POS systems that will use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software in addition to virtual machines in addition to disable if find any. The researchers say the idea’s unclear “at present whether that will is actually a reflection of the malware still being in a relatively early stage of development/testing.”

Although there is actually no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint’s tests have shown that will the malware is actually indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active in addition to responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy that will malware from the wild.

the idea should be noted that will the attackers behind the malware have not been compromised the LogMeIn service itself—the idea’s just impersonated. LogMeIn itself published a blogpost that will week, warning its customers not to fall for the scam.

“According to our investigation, the malware is actually intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” LogMeIn noted. 

“that will link, file or executable isn’t provided by LogMeIn in addition to updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us having a request to update your software that will also includes either an attachment or a link to a brand-new product or update.”

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as “nearly all companies have firewalls in addition to various other protections in place to monitor in addition to filter TCP- in addition to UDP-based communications,” yet DNS is actually still often treated differently, providing a golden opportunity for hackers to leak data.

Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that will uses DNS queries to conduct malicious PowerShell commands on compromised computers, producing the malware difficult to detect onto targeted systems.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

two + two =