Written by AJ Vicens

Cybercriminals used a pair of point-of-sale malware variants to steal more than 167,000 payment records from 212 infected devices mostly in the U.S., according to researchers with Group-IB.

It’s not clear who is behind the attack or whether they sold or used the pilfered card data. But researchers estimate the information could be worth more than $3.3 million, highlighting how malware designed to steal information from credit card payment terminals remains a troubling concern.

Nikolay Shelekhov, head of the Group-IB Botnet Monitoring Team, and Said Khamchiev, an analyst in the group, identified a poorly configured command and control server for point-of-sale, or POS, malware MajikPOS in April 2022, researchers said in a report shared exclusively with CyberScoop.

The configuration allowed the researchers to analyze the server and discover that it hosted a separate command and control administrative panel for Treasure Hunter, a separate POS malware variant, which also collects compromised card data.

The researchers’ analysis revealed that since at least February 2021 through Sept. 8, 2022, the operators had managed to steal payment records. Shelekhov told CyberScoop the researchers identified 11 victim companies in the U.S.

“The information about compromised cards, POS terminals, and the victims that Group-IB researchers were able to identify, was shared upon discovery with a US-based non-profit alliance that brings together private industry, academia, and law enforcement,” he said.

The analysis showed that the operators had initially used a variant of Treasure Hunter, which dates back to at least 2014. In early 2022, the operators “augmented their arsenal with a more advanced malware, namely MajikPOS,” researchers said.

Industry analysts first spotted MajikPOS malware attacking targets in the U.S. and Canada in early 2017. By July 2019, popular underground markets listed the malware’s source code, the researchers said, making it difficult to attribute the malware to any particular group or location.

MajikPOS has additional features, the researchers said, such as a more appealing control panel, an encrypted communication channel with a command-and-control function and more structured logs. Treasure Hunter, on the other hand, contains records about the processes running in an operating system of the device from which the data was stolen, along with their names.

The researchers managed to analyze roughly 77,400 unique credit card dumps from the MajikPOS panel, with more than 75,000 of those from U.S. credit card issuers. They found more than 90,000 from the Treasure Hunter panel, they said, and 86,411 of those were from U.S. issuers.

“Given that the malware remains active at the time of writing this blog, the number of victims keeps growing,” they said.

The market for stolen credit card information totaled more than $908 million between April 2021 and April 2022, averaging about $20 per card, the researchers said.

Buyers of this stolen information can’t use the numbers — because the data does not include the three-digit code required for online purchases — to make online purchases, but if “the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards (“white plastic”) and withdraw money from ATMs or use the cloned cards for illicit in-person purchases,” the researchers said.

“POS malware has become less attractive for threat actors in recent years due to some of its limitations and the security measures implemented within the card payment industry,” they concluded. “Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices. It is too early to write off POS malware.”