How to Avoid 2020 Online Shopping Threats

The shopping season is upon us and as in previous years, cybercriminals are preparing multiple ways to target the online shopping community, including phishing attempts to steal financial details, malspam campaigns distributing malware and more. In fact, while examining the credit card trade in the Dark Web during 2019, we discovered that the highest number of stolen cards offered for sale on dedicated marketplaces was in November 2019 with over 32M cards, although we should take in consideration that there are duplications of data, since it is likely that cybercriminals will try to sell the stolen data in multiple marketplaces.

In this post we will provide you with some tips for ensuring a secure shopping spree and we will also take a look at recent attacks and how attack groups operate to target online shoppers and vendors.

Are you shopping online this season? Here are essential Do’s and Don’ts for you:

  • Be extra aware of phishing attacks, especially with emails requesting you to verify or update your account details, register to get a free item or a coupon, etc.
  • Verify the URL address of the platform you are about to buy from – make sure the URL address of the official website of the desired brand.
  • Check that the platform you are shopping on to purchase goods is secured – look for an HTTPS URL, a trusted certificate, etc.
  • Do not open attachments sent from unknown sources, especially ones requesting to enable macro or editing permissions in order to open them.
  • Avoid clicking on ads of any kind, especially during the shopping season.
  • Do not download apps from unofficial App stores, especially shopping-themed apps.
  • Check apps permissions and update your mobile operating system on a regular basis.
  • Use 2FA or OTP protocols if provided by the service vendor.

What you see isn’t always what you get: Scam Websites and Fake Domains

Fake domains of popular brands can be used in spam or phishing campaigns that are carried out via mail, SMS, social media platforms and more. In last year’s shopping season, 124,000 suspicious domains were detected, abusing names of 26 brands. The most targeted brands were Apple, Amazon and Target.

This year, we researched how many domains with the word “Amazon” were registered during the first week of November 2020. We detected over 600 of recently registered domains with no official connection to Amazon in their registration details. Although it seems that many of them are not yet “operational”, as they do not lead to an active website, some of them sure look suspicious, for example: verification-amazonservices.com (detected as a phishing website via several AVs), account-verificationamazon.com, amazon-login-verify.com (detected as suspicious by one AV) and even amazon-black-friday.com (first created in 2010 and is being re-registered each year since then).

Scam websites usually use a similar web design and interface to the legitimate online shopping platforms, and therefore it is recommended to check the website’s domain or URL address before purchasing goods using your credit card.

A fake website of Taobao, a Chinese online shopping platform (the upper one) and the legitimate website (bottom)

Keep your systems updated to avoid E-skimming attacks (AKA: Magecart attacks)

E-skimming is one of the most popular ways these days to carry out credit card fraud. Cybercriminals usually exploit a vulnerability in the e-commerce or online payment platform (usually in third parties’ components), in order to inject a malicious code that will capture the user’s credit card data and send it the its operators. Once they hold the data, cybercriminals will probably sell it in the Dark Web or use it to make additional purchases.

Magecart is the name given for this type of attack and to cybercriminals that usually target platforms running outdated versions of Magento (while exploiting flaws, such as CVE-2017-7391 and CVE-2016-4010 in Magento) and use a malicious JavaScript code embedded into the compromised platform. In fact, Magecart attacks are so common that in September 2020, it was reported that approximately 2,000 e-commerce platforms were targeted in one weekend.

Additional ways to carry out e-skimming attacks are by accessing the e-commerce network, using administrative credentials. These can be obtained via phishing, brute-force attacks, or a cross-site scripting attack that redirects users to a malicious website with a JavaScript code. Access to networks of online shopping platforms are also traded on Dark Web forums, allowing threat actors to gain access to databases containing users’ details.

Cybercriminal offers access to a shopping platform on the Dark Web. This can be also used for e-skimming attacks. Source: Verint LUMINAR

Of note, nation-state groups were also spotted using this attack vector in the wild. In July 2020, researchers found that the North Korean group Lazarus was behind a serial of Magecart-style attacks against multiple e-commerce stores around the world.

Therefore, it is vital for organizations that operate online payment platforms to keep them updated and secured. We really can’t stress this enough. It is also recommended to use tools that will help detect such malicious injections and monitor suspicious activities in order to block them on time.

The spamming season: Spam campaigns are used for malware distribution

In the shopping season of 2018, a massive spam campaign distributing Emotet, targeted online shoppers worldwide, especially in North and Latin America and the UK. Emotet is an infamous malware, active since 2014, that was first detected as a banking Trojan, but these days it is often used as a downloader or a dropper for additional Trojans or even ransomware. It is usually distributed via worldwide spam campaigns and malicious attachments that request users to unable Macros. During last year’s shopping season, approximately 130 million malware attacks and ~640,000 ransomware attacks were detected in the US. Based on what we’ve seen in the past few years, it is expected that malware operators will try to lure victims via shopping-themed emails and malicious attachments.

The world goes mobile: The rise in malicious mobile apps

Each year, malicious shopping-themed apps target unaware users during the shopping season, which is why it is recommended to download mobile apps from official platforms and to check the reviews. However, in January 2020, a new Trojan dubbed “Shopper” was spotted leaving fake applications reviews on Google Play, on behalf of the infected device’s owner, leaving users with no trust in apps rating. The Trojan was also detected turning off the Google Play Protect feature, in order to download additional apps without safety checks, using the victim’s Google or Facebook account to register to popular shopping and entertainment apps, spreading advertisements, etc. Infections were spotted worldwide, including in Russia, Brazil and India.

Additional malicious shopping season-themed Android apps were spotted in 2019 luring users with coupons, discounts and other shopping hacks. Some of them were detected sending sensitive information from the infected devices to their operators or containing adware used to spread malicious advertisements.

To conclude, the shopping season is open for all, including cybercriminals who are trying to maximize their gain. Awareness is the key when it comes to what shoppers can do to keep safe, whereas vendors need to take additional measures during these times to avoid financial loss, reputational damage and customer abandonment.

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

MitM Attacks Pick Up Speed – A Russian Coder Launches a New Web Injection Coding Service

In a successful MitM attack, the hacker infiltrates a web session between a bank and a bank customer, intercepts the messages they are exchanging, including credentials and classified information, and injects new messages, all without arousing the suspicion of either party.

In most cases, the injections are tailored to the victim. In other words, the victim sees a website purporting to belong to the specific bank whose site the victim is attempting to access. The injections are delivered via banking Trojans such as Zeus. On closed forums, injections are sold as separate modules for banking malware.

Web injections are sold on a Russian underground forum
Web injections are sold on a Russian underground forum

On one of the leading Russian-language cybercrime forums, we recently discovered a new thread offering web-injection services. The author was selling a large variety of injections for banks and online services in the United States and Canada.

According to the thread, the service includes an administration panel for managing the infected machines and stolen data, the ability to change the victim’s banking account balance (after a money transfer was performed), the ability to grab answers to security questions, and many other features.

The prices are quite affordable and vary from $50 to $150, though it should be noted that anyone wishing to carry out an MitM attack should already possess a botnet of machines infected with banking Trojans. When the victim tries to access his bank account, the attacker intercepts the session and displays a fake webpage that is very similar to the real bank’s site. The victim is asked to fill in login credentials, answer security questions, provide credit card data, and more. The attacker immediately receives the information through the administration panel and can use it to transfer the money, while the victim receives a connection error and simply tries to connect to the bank’s website one more time.

Detecting such an attack can be difficult, since one failed connection to the bank website or minor differences between the design of the fake page and that of the real page do not usually arouse the victim’s suspicions. In addition, as mentioned above, the account balance that the victim sees does not change after the money has been stolen.

The seller has launched a website to promote sales of the injections he coded. The site contains samples of injections for banks in the United States and Canada and for online services such as PayPal and Ebay. The targeted banks are Wells Fargo, HSBC, Citizens Bank, Scotiabank, RBC Bank, and many more. There was a section in the site indicating that European institutions will be targeted in the future.

Example of injection for a bank, published on the dedicated website

 

School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network
POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum
PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.

A forum member selling his knowledge
A forum member selling his knowledge

  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.

Australian Banks Targeted by Russian Malware for Android Devices

Introduction

Several months ago, while monitoring Russian underground forums, we came across a new malware designed to attack Android smartphones via a social engineering vector, luring victims into providing their banking data, as well as credit card details to the attackers.

The malware is dubbed GM BOT, and it has been offered for rent since October 2014 on a Russian underground forum dealing with malware development and sales. The price was $4,000 for one month, and this later dropped to $2,000. In January 2015, the renter of the GM BOT posted about deploying the malware on Australian botnet, including screenshots of banking details from Australian banks.

Later, in February 2015, the renter posted examples of Man-in-the-Middle (MitM) attacks that can be carried out by his malware, two of them presenting fake login pages to Australian banks.

GM BOT Capabilities

The first version of the malware was released on October 29, 2014 and according to the thread, it is designed to collect banking and credit card details. The data collection from the infected devices is performed via a social engineering vector, when fake pages are presented to victims. The tool works in different ways:

  • Collection of VBV data by using a fake Google Play application (Luhn algorithm is used for validation).
  • Scanning the mobile phone for installed banking services, and presenting dialog boxes for filling in confidential data.
  • Checking for email and social media accounts linked to the phone (Gmail, Facebook, Twitter, etc.) and presenting dialog boxes for filling in confidential data.

In addition, the malware is capable of incoming SMS message interception and blocking (to avoid alerts from the bank from reaching the victim), as well as incoming call redirection, GPS data monitoring and more. The malware received highly positive feedback from other forum members, as suitable for cybercrime activity.

Initially, the thread’s author specified that the bot would be rented to five clients – Russian speakers only. On November 3, 2014, the renter announced that all the five clients had been found, and that the ad was no longer relevant. However, one month later, on December 2, he posted about updates of GM BOT capabilities, saying that he is looking for more clients. The new version of the bot enables its operator to create JS or HTML dialog boxes that are presented to the victim, thus expanding the number of accounts whose credentials can be achieved.

The Australian Link

On January 13, 2015, the author posted again. This time the post included screenshots showing the results of GM BOT activity. According to the post, 165 users in Australia were infected on January 10. 68 of these were communicating back with the C&C infrastructure at the moment of the post. Screenshots of the collected data were attached.

Credit card data and banking credentials of Australian bank clients, collected by GM BOT
Credit card data and banking credentials of Australian bank clients, collected by GM BOT

On February 12, 2015, another post regarding GM BOT was uploaded by the author, focusing on its MitM attacks capabilities. According to this post, the bot can inject JS or HTML code into running application, thus showing the user fake pages for drawing out data.

It should be mentioned that the malware distribution method is not included in the rented product. This means that the attacker who purchases the malware delivers it to the victims by a method of his choosing, spam emails for instance.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

Cyber Threats to a Bank – Part 1: Cybercriminals Target Financial Institutions

Banks and other financial institutions often serve as key targets for malicious activity committed in cyber space. Owing to their large-scale financial operations, banks have always attracted scammers and thieves searching for easy ways to get rich quick. The rapid development of technologies used in the different industries has shifted banking operations to a much more virtual level, opening up new, sophisticated ways for criminal actions to be perpetrated. Aside from traditional, profit-motivated cybercrime, a large part of a bank’s technical infrastructure, such as online banking services, is located on the Internet. This exposes another Achilles’ heel of banking institutions, while serving as a weapon for ideologically motivated hackers trying to undermine a bank’s reputation and normal functioning. In this blog post we will focus on threats coming from the cybercrime arena, the next one describing the hacktivism world is to be followed.

Cybercriminals act from different vectors, such as developing malware for stealing login details for banking sites and applications, extracting credit card data from hacked databases, etc. The main motivation of cyber criminals is financial profit. Subsequently, they use closed web forums and online shops to support their illegal activity and develop new fraud schemes. In most of the cases, financial institutions face one of the following three threats:

Man-in-the-Middle (MitM) Attacks

Also called web injections, this attack method is very popular among cyber criminals targeting the financial sector. If the attack is successful, the hacker manages to infiltrate the web-session between the customer (while he is surfing the bank website) and the bank. He then intercepts the messages sent between the two parts of the conversation, including credentials and classified information, and injects new messages, without arousing the suspicion of either party.

In most cases, the injections are adjusted per victim, and are delivered via banking Trojans, Zeus for example. On closed forums, injections are sold as separate modules for banking malware, or they are offered as a tailored service for cyber criminals targeting a specific bank.

2

Examples for web injections offered for sale in Russian forums
Examples for web injections offered for sale on Russian forums

Client Detail Trading

One of the most popular areas of activity on underground forums is the trading of login details to bank websites and client personal data. Typically, this data originates from computers infected with malware designed to steal data inserted into form fields on websites. The operator of the botnet comprising these infected computers will not always use all the stolen data by himself, but may sell it to ‘professionals’ who specialize in cashing out money from these hacked accounts.

A term that should be mentioned in this context is the “drop” – a person who receives the stolen money into his account – sometimes without even knowing that he is supporting illegal activity, as legends and cover stories are frequently used. Drops are usually operated by the buyers of the login details – scammers who have a stabile infrastructure for cashing out stolen money. Posts on the subject of buying and selling credentials are frequently found on closed forums.

 Compromised Credit Cards

Online shops offering different kinds of credit card data for sale are very popular among those cyber criminals specializing in “carding.” These shops are very convenient for their users. They include numerous filtering options, thus matching the data to the scammers needs. Prices may vary considerably, depending on the rarity of the card and the demand for the data of the issuing bank, as well as elapsed time since the data theft.

Credit Cards form Home Depot breach are sold on an underground shop
Credit Cards form Home Depot breach are sold on an underground shop

Related Posts


Two New Banking Trojans Offered for Sale on the Russian Underground July 15, 2014 by Tanya_Koyfman

Financial Scams Involving POS Devices

POS attacks appear to have become both more frequent and detrimental. These systems are considered “easy prey” for scammers because they are vulnerable in two respects: The first is the software aspect – POS terminals are based on popular operation systems and are connected to the Internet, thus serving as a target for infection by Trojans dedicated to data theft. The second is the physical nature of these kinds of systems – they are usually located in public places and are accessible to many people, facilitating the installation of malicious programs and components directly onto the POS terminals.

Russian-speaking platforms located on the web (forums) are known to be supporting grounds for the creation and development of a great deal of cybercrime the world over, and POS-related crime is no exception. This sphere of activity is included in the “real carding” forum topic that also deals with hacking ATM machines, installing skimming devices, hacking into ATM cameras for the purpose of recording PIN codes, etc. Below we summarized the main trends regarding POS systems that were discussed in the Russian forums in the last months.

Trade of Malware Targeting POS Terminals : While 2013 was a year of large-scale breaches via remote access to POS systems, since the beginning of 2014, we have not witnessed an inordinate number of discussions about the remote infection of POS devices, as a large part of them deal with the physical modification of POS devices. Nevertheless, we identified a sale of one new tool in May 2014, referred to by the seller simply as Dump Grabber.

Installing Firmware Components on POS Terminals: The sale of firmware components for different models of POS terminals is very popular on the underground, as is the sale of the complete terminal (ready for installation) already containing the firmware. The average price for a complete terminal is approximately $2,000, while firmware alone will cost around $700. The firmware collects track 1, track 2 and PIN code data while regular transactions are performed on the terminal, and then sends it to a specified destination.

An offer for the sale of a VeriFone POS terminal with installed firmware
An offer for the sale of a VeriFone POS terminal with installed firmware

Technical Discussions: It appears that since the infamous mega-breaches that occurred over the last year, this sphere has attracted a lot of cyber criminals, but some of them lack the technical skills necessary for success. They heard about the easy profits available in the area of POS terminals and are trying to familiarize themselves with the expertise required to make a profit via dedicated online platforms.

The two main issues recently discussed on the forums are obtaining PIN codes and bypassing the demand for chip identification. The energetic discussions that developed on these subjects may point to the difficulties they are facing in the area of POS-related cybercrime.

A forum member asks how to add a PIN requirement in POS transactions
A forum member asks how to add a PIN requirement in POS transactions

Business Models of POS-Related Scams: It is extremely difficult for a single scammer to commit a financial crime exploiting POS terminals. These scams are usually performed by small groups of cyber criminals. If the modus operandi of the scam is the remote infection of POS devices, there is a high probability that the attack group will include three types of perpetrators: the malware coders, the malware spreaders and the purchasers of the dumps.

In case of a physical infection of the POS terminals, of the kind that requires the installation of firmware components or the replacement of the terminal itself, the cooperation of someone at the business point (a shop or a supermarket) will also be required.

A forum member offers a fake POS terminal for rent, in return for 50% of the profit
A forum member offers a fake POS terminal for rent, in return for 50% of the profit