Breach, Threat Management, Data Security, Incident Response, Malware, TDR

At least 4,500 payment cards compromised by JackPOS malware in U.S. and Canada

At least 4,500 payment cards have been compromised in the United States and Canada by a new point-of-sale (POS) malware, JackPOS, that is based on Alina, according to researchers with cyber intelligence company IntelCrawler.

Andrew Komarov, CEO at IntelCrawler, told SCMagazine.com a bit about JackPOS on Friday, but on Monday, IntelCrawler launched a POS malware infection map that shows 4,533 payment cards have already been compromised by 11 infections in locations including Idaho, California, Utah, Missouri, South Carolina, Pennsylvania, Vancouver and Quebec.

“Our team has successfully received an access to [the command-and-control server] today and extracted cards from it,” Komarov told SCMagazine.com in a Monday email. According to a Monday release, some of the victims were impacted more than 17 days ago.

Looking at numbers across the globe, roughly 3,000 payment cards have been compromised by 12 infections in São Paulo, Brazil. Additionally, 412 payment cards were compromised by two infections in Karnataka, India, and 230 payment cards were compromised by six infections in Madrid, Spain.

“The bad actors use quite similar principles of credit cards dumps gathering and memory parsing methods, but started to add additional techniques to mask it using drive-by download attacks,” Komarov wrote, explaining attackers replaced the official Java update scheduler file with malicious code disguised as Java(TM) Platform SE Binary.

According to the release, the loaders in the drive-by attacks were written in obfuscated AutoIt script, which malware authors have become increasingly reliant on to execute attacks while avoiding anti-virus detection.

“The bad actors have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system thru external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices,” according to the release.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.