back to article Payment terminal malware steals $3.3m worth of credit card numbers – so far

Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals. If sold on underground forums, the haul could net the thieves upwards of $3.3 million. The backend command-and-control (C2) server that operates the MajikPOS and Treasure Hunter …

  1. usbac

    "As with all security loopholes, there are things businesses can do to thwart POS malware infections. Implementing a strict password policy tops the list, followed by installing software updates promptly — no major surprises there. They also suggest companies use network defense products, firewalls, and whitelisting to keep intruders out."

    I have an idea, how about securing your f***ing VNC and RDP? Neither of which should be exposed to the open Internet!!

    1. Anonymous Coward
      Anonymous Coward


      That would require some competence in Retail Companies IT depts.

    2. ThunderCougarFalconBird

      Right? Have these people never heard of firewall rules?

  2. ecofeco Silver badge

    Small shops with I.T?

    They must be joking. Small businesses have zero I.T. knowledge or budget.

    They are relaying on the card reader vendors for security and as well they should. They ARE the provider.

    1. ThunderCougarFalconBird

      Re: Small shops with I.T?

      Firewalls should be part of *ANY* use of business IT. All of this stuff could be thwarted by a simple firewall rule

    2. s0nicfreak

      Re: Small shops with I.T?

      Cry me a river. It's part of the cost of doing business. If a business can't afford it then the business can not afford to operate.

      Yes, the vendors should be providing what security they can. But there will always be new exploits. So security requires a combination of the vendors and the businesses doing what they can. If they have no knowledge and aren't big enough to need to hire someone for the job, they pay a contractor. The business doesn't get to just say it's someone else's responsibility because they don't want to pay. If they don't budget for this then they better budget for negligence lawsuits and losing their ability to processes cards entirely.

  3. Neil Barnes Silver badge

    Magnetic stripes?

    How quaint.

    Are they really still a thing? I mean, I can see them there on the card, but I can't remember the last time I swiped one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Magnetic stripes?

      Just back from the US/Canada.

      Mag swipe common, even on newer terminals with sign, pin entry, contactless and chip readers. Even ones P2P enabled

      WMV cars you sign for, some even don’t need signed for.

      Apple Pay ??… Met with blank looks.

      It’s like 20 years ago retro. Europe sorted muxh of this out then.

  4. Mike 137 Silver badge

    "open and poorly secured VNC and RDP remote-desktop services"

    PCI DSS requires the cardholder data environment to be firewalled from any surrounding networks, although of course Version 4 of the standard does include a locally defined "soft option" for every requirement for those who find the formal one too hard. And of course it would help if PCI DSS were actually enforced. The majority of those processing card data are self certified and commonly rely on an assumed "compliance" by virtue of a vendor assurance for the kit they use (which is not real compliance), and in my experience acquiring banks take a quite lax view of poor compliance. The standard is mainly viewed as a license to process card payments, rather than a driver of security against accidents.

    1. Anonymous Coward
      Anonymous Coward

      Re: "open and poorly secured VNC and RDP remote-desktop services"

      You descope the entire thing with the PED either network connected and sending almost nothing back to the PoS or have the PED client software on the PoS setup P2P so the card data is never in the clear at rest.

      This is enforced in the UK and Europe. US still allows settlement files FFS.

  5. ThunderCougarFalconBird

    Bad programming for the POS

    " MajikPOS also scans infected PCs for card data. This info is then beamed back to the malware operators' C2 server."

    This makes no sense to me. How is a POS system designed that allows network connections to any random address on the internet? I get that the POS uses the internet to transfer data, but that data transfer should be locked down by firewalls to only allow the POS to connect to a specified set of IPs. I'm not a security expert, but I mean, this is obvious to me. Every POS terminal should *ONLY* be able to talk to the POS server. And that POS server should *ONLY* talk to the card processor. All other traffic should be blocked at the network level. Who is programming these things? children?

    1. Giles C Silver badge

      Re: Bad programming for the POS

      Possibly because the endpoint in is the cloud and the vendor was too tight to pay for the static ip equivalent so relies on dynamic dna instead.

      I remember coming across something similar in a previous role and was shocked to find a dynamic endpoint when I went to lock it down on the firewall.

      But it wouldn’t be that hard to have the terminal create a vpn to the control server - would it?

      1. usbac

        Re: Bad programming for the POS

        I work in IT security, and I have been there with trying to secure payment transaction systems.

        As mentioned above, there is NO EXCUSE for POS (an appropriate acronym if I've ever seen one) terminals / PCs to be allowed open access to the internet. NONE! If these terminals need to be able to browse, that needs to happen through a very locked-down proxy or a firewall acting as a proxy.

        As for the server side, trying to secure the connection can become a nightmare. I've been in a situation where the payment processor is using several AWS data centers for their infrastructure. They can have thousands of IP addresses that handle payment transactions. One vendor couldn't even give us a list of addresses. They told us that even they weren't sure what all of the addresses are (DNS and load balancer fun)!! How is that for scary?

        1. Giles C Silver badge

          Re: Bad programming for the POS

          I do the same as you but it has been several years since I had to deal with this sort of kit.

          You would have thought they could set up an anycast address, or a couple of load balancers to funnel the requests to their servers.

          A couple of high spec load balancers on an aws system would easily redirect the traffic into a batch of application servers and you only need a couple of exposed addresses per region.

          This is one of the differences between devops and security people, we look for the minimum footprint to be exposed, they look for the easiest solution to deploy. (Not all of them but a good few)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like