Trend Micro researchers recently uncovered new point-of-sale malware called MajikPOS, which appears to have begun infecting businesses in the U.S. and Canada around January 28, 2017.
The malware’s operators use a combination of PoS malware and remote access trojan (RAT) to attack targets. “MajikPOS is a reflection of the increasing complexity that bad guys are predicted to employ in their malware to neuter traditional defenses,” the researchers note.
The operators look for accessible Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) servers, then attempt to breach them via brute force or with generic login credentials.
Once installed, a RAM scraping component of the malware looks for credit card track data, which it then uploads to a command and control servers. “MajikPOS, like many of today’s malware, uses encrypted communication to make it harder to detect on the network level,” the researchers write.
While correctly configured EMV terminals won’t be impacted by MajikPOS, the researchers note that terminals that haven’t been upgraded to chip-and-PIN can still be protected by securing remote access functionality.
“For infosec professionals and IT/system administrators who protect their organization’s endpoints, consulting the appropriate documentation for securing Remote Desktop and VNC is a good store,” they write.
Moshe Ben-Simon, co-founder and vice president at TrapX Security, told eSecurity Planet by email that the ubiquity of retail point-of-sale systems makes them attractive targets for cyber criminals. “Our research shows us that organized crime groups (OCG) … continue to target the retail industry aggressively, with the objective of obtaining credit and debit-card account data from retail and POS systems,” he said. “We expect to see this trend continue and accelerate into 2017.”
“Between now and 2020 — the window of time required for EMV deployment — card fraud using current methods could cost the retail industry an additional $10 billion,” Ben-Simon added. “Even as the use of EMV-chip technology becomes more widespread, TrapX Labs still expects fraudulent card-not-present transactions to increase at a much higher rate than in the past.”
Brian Laing, vice president of business development and products at Lastline, noted by email that a security system that conducts deep behavioral analysis on malware to understand all of its behaviors, and that can monitor network traffic for anomalous activity, should be able to detect a threat like MajikPOS.
“With the right technology, MajikPOS, just like all other malware, can be detected before the damage is done,” Laing said. “Each time there is a breach like this where public samples are available, companies need to verify that their advanced malware protection is capable of detecting the new threat.”