Card Recon is a legitimate tool repurposed by attackers to seek out payment card data.
Card Recon is a legitimate tool repurposed by attackers to seek out payment card data.

Researchers have observed attackers using cracked versions of Card Recon, a PCI compliance software tool developed by Ground Labs, to sniff out payment card data.

Card Recon is a legitimate application designed to seek out payment card data across various systems and storage devices, Curt Wilson, senior research analyst at Arbor Networks, told SCMagazine.com in Friday email correspondence.

“This could be very useful for a security professional or a PCI security assessment professional to help discover card data in unexpected places so it can be properly secured,” Wilson said, adding that it has now become “a legitimate tool that was cracked and repurposed by criminals to find [unsecured] card data.”

After lifting the software protections on Card Recon, attackers leveraged the tool against point-of-sale (POS) infrastructure associated with insecure environments, such as weak credentials, Wilson said, adding card data stored locally is at risk.

Researchers with Arbor Networks wrote about Card Recon in a recent ASERT Threat Intelligence report, explaining how two cracked copies of the application showed up in an attack toolkit that also contains POS malware – including an older version of BlackPOS, the malware used in the Target breach.

“The attack kit discovered by ASERT shows that threat actors do not need a great deal of skill or advanced strategies to compromise [POS] environments, and also indicates that insecure configurations are still a problem [that] allows criminals access to sensitive financial processing systems,” Wilson said.

In a Wednesday blog post, Numaan Huq, senior threat researcher with Trend Micro, wrote about how he observed a cracked copy of Card Recon included within a development version of a POS RAM scraper malware.

Further investigation into Card Recon revealed that it identifies American Express, Discover, Diners Club, JCB, Visa, MasterCard, and “Test/Others” payment cards, according to Huq, who ran a test and learned that the tool incorrectly identifies some phony payment cards as valid.