Threat Management, Malware

Researchers catch whiff of previously unknown POS sniffers and scrapers

Researchers in the last 48 hours have released a trio of reports, each of which details a newly discovered point-of-sale (POS) malware program that skims or scrapes payment card information from e-commerce websites or in-store checkout terminals.

At least two of these three new threats, GMO and DMSniff, have already been observed actively attacking enterprises, while the third, GlitchPOS, has been spotted for sale on multiple dark web forums.

GMO

Discovered just this month by researchers at Group-IB, GMO is classified as a JavaScript sniffing tool -- separate from, yet similar to the Magecart skimming tool that was responsible for several major data breach incidents last year affecting companies like Ticketmaster and British Airways. However, this particular "JS Sniffer" tool specifically targets online stores running on the Magento open-source content management system and e-commerce platform.

A single line of malicious GMO code was found injected into the online stores of seven companies, six of which are based in the U.S. Victims include the international sports goods brand FILA UK, as well as a designer housewares merchant, a pest management company, a cosmetics seller, an online supermarket, a training equipment retailer and a video editing store.

Citing data from Alexa.com, Group-IB says the six U.S.-based stores receive about 350,000 monthly unique visitors. Meanwhile, FILA UK attracts roughly 140,000 unique eyes per month -- meaning potentially thousands of its customers could have had their payment data intercepted and exfiltrated since the retailer was first compromised back in November 2018.

Based on the registration data of one of the malware's command-and-control domains, Group-IB believes GMO has actually been active since May of last year.

"Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS... or simply by compromising the credentials of the website administrator using special spyware or cracking passwords with brute-force methods," explains Dmitry Volkov, CTO and head of threat intelligence at Group-IB in a company blog post today, adding that GMO got its name "because the malware uses gmo[.]li host."

Volkov further notes that GMO can detect debugging tools like Firebug and Google Developer Tools, which helps it remain under the radar.

“JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated," says Volkov. "And not only small online stores get affected, but also payment systems and banks whose clients’ suffer from payment data leaks.

Group-IB says it notified the six U.S. companies of the attack and made multiple attempts to contact FILA UK.

DMSniff

Another POS malware, DMSniff, has been caught stealing payment data from various unnamed small- and medium-sized businesses, after managing to remain undetected for about four years.

Disclosed by researchers from Flashpoint, DMSniff is a rare example of a POS malware program that uses a domain generation algorithm to dynamically create lists of new C2 domains as a means of surviving takedowns and sinkholing attempts by authorities.

Taking the form of a Windows executable, this particular malware affects in-store purchases. When customers swipe their cards through an infected terminal, the malware scrapes Track 1 and 2 magnetic stripe data before it's encrypted and sent to the payment processor.

Each time the malware finds an interesting process, "it will loop through the memory sections to attempt to find a credit card number. Once a number is found, the bot will take the card data and some of the surrounding memory, packages it, and sends it to the C2," explain Flashpoint principal threat researchers Jason Reaves and Joshua Platt in a March 13 company blog post.

In an email, Reaves told SC Media that he first noted seeing a DMSniff sample back in January 2018, but the malware was active in the wild since at least 2017, and sold privately before that.

The attackers may have compromised retailers' connected terminals via brute-force attacks launched against SSH connections, or possibly by scanning for and exploiting system vulnerabilities, Flashpoint suggests. (The malware can also theoretically be implanted by physically tampering with the terminals.)

Flashpoint has so far found 11 variants of DMSniff's domain generation algorithm, all structured the same way, with the first two letters and multiply values hardcoded into the algorithm. "The bot loops through the domain generation while rotating through a list of top-level domains... until it finds a server it can talk to," the researchers explain. "The data that was harvested by the bot to create a hostid is then sent off inside the user-agent. "

In addition to its DGA techniques, the malware also protects itself through string encoding, notes Flashpoint, which recommends that organizations keep their appliances updated.

GlitchPOS

In a third blog post, researchers Warren Mercer and Paul Rascagneres from Cisco Systems' Talos division describe GlitchPOS, a POS malware that was recently discovered for sale on a crimeware forum.

The first mention of GlitchPOS dates back to a Feb. 2 forum post by Edbitss, who appears to be the same individual who is alleged to have previously developed DiamondFox L!NK, a versatile, modular botnet that debuted around 2015. In fact, Talos spotted several common traits between GlitchPOS and DiamondFox, including the use of VisualBasic as a programming language, shared terminology and similar panel dashboard displays. This suggests the developer reused old DiamondFox code in some plans, Talos notes.

Edbitss offers to sell the malware for $250, its builder for $600 and its gate address change for $80. (Talos subsequently found the malware for sale at a higher price on additional websites.) "The sale opened a few weeks ago, so we don't know yet how many people bought it or use it," the blog post states.

The main payload is a small one with only a few core functions, including the ability to connect to the C2 server to receive instructions via encoded, shellcode-based commands, and the ability to steal Track 1 and 2 payment card data from the memory of infected systems. The malware is also protected by a packer -- designed as a fake game with a user interface featuring pictures of cats -- that ultimately decodes a library containing the real payload.

The developer even created a video demonstrating GlitchPOS's ease of use to potential buyers. "This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet," Talos warns.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.