VPN Articles and News

TreasureHunt Malware Targets Point Of Sale Systems

By Paul Liu
Saturday, October 15th, 2016

As the US consumers and businesses move to EMV and chip based payment systems, security experts are witnessing a sharp increase in the number of attacks against Point of Sale (POS) systems that are still accepting magnetic swipe based credit cards. California based security firm FireEye Inc. has come across a new strain of a malware that was specifically crafted to target business and financial institutions that are yet to migrate to chip and PIN based payment technology. Dubbed as TreasureHunt, the malware has been around since at least 2014 and it has been used a number of times to steal credit card information from small retailers and banks.

In a detailed blog post published on its website, FireEye explains that POS malwares fall in three different categories. While some of them are freely available online, others can only be bought or are crafted by one or more groups to carry out targeted attacks. TreasureHunt falls in the third category since its source code is neither available for free nor it can be bought from its creators. While free malwares targeting POS systems can easily be detected by security softwares, custom-built malwares are far more effective in stealing information.

As per FireEye, the TreasureHunt malware is being used by just one group (BearsInc) which makes it very difficult for security professionals to deal with it. While the BearsInc group is not that famous for its hacking exploits, FireEye’s principal threat intelligence analyst Nart Villeneuve says that it is very active in selling stolen credit card credentials on carding forums. Nart suspects that the group is making use of the TreasureHunt malware to the hilt to steal credit card information from retailers and financial institutions who have still not yet migrated their POS terminals to the EMV technology.

In the blog post, FireEye has even explained the working methodology of the malware. Unlike other malwares that spread via spam messages, TreasureHunt spreads via manual hacking of POS terminals. As per FireEye, BearsInc uses stolen credentials as well as brute force methods to implant the malware into POS terminals. After a terminal has been hacked, the malware runs in the background and scans the memory for credit card information. As soon as the malware finds any credit card related information, it encodes it and sends it to a third party Command and Control server which is controlled by the BearsInc group.

While the transition to EMV and chip based payment technology is in full swing in United States after the data security standards were introduced in 2015, a lot of merchants and consumers are yet to make the switch. Hackers and malware operators are clearly aware that the magnetic strip based credit cards are going to be obsolete soon so they have launched a number of attacks against older POS systems in the recent months. If you run a commercial establishment and are yet to make the switch to EMV and chip based payment system, be aware that you remain a prime target for malwares like TreasureHunt.