PandaLabs, Panda Security’s anti-malware laboratory, has been working on an in-depth investigation since May related to Point of Sale terminals (POS) in restaurants across the United States. A new malware sample was discovered during this investigation calledPunkeyPOS, a malware variant that is able to access credit card data. PandaLabs left this information at the disposal of American law enforcement so they can take the appropriate actions. Let’s see what this is and how it operates.

How can they steal your card without touching your wallet?

PunkeyPOS runs seamlessly in all Windows operating systems. The cyber-criminal’s plan is to install the malware in POS terminals in order to steal sensitive information such as account numbers, magnetic strip contents (tracks) from bank cards, etc.

PunkeyPOS seems simple:

It installs a keylogger that is responsible for monitoring keystrokes, then it installs a RAM-scraper that is responsible for reading the memory of all processes running on the system.

Based on the information it captures, the malware performs a series of controls to determine what is valid and what isn’t. Regarding the keystrokes, PunkeyPOS ignores all information other than credit card data. It is mostly interested in tracks1/2 from the process memory that is obtained from RAM-scraping. The POS terminals read this information from the bank cards’ magnetic strips and then can use this data to clone the cards at a later time.

Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server. In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.

The command and control (C&C) server address can be easily obtained based on this malware sample through reverse engineering or analyzing their communications. This is the main page of the control panel; it requires a username and password to get access:

Follow the Trail to the Digital Pickpocketers

The cyber-criminals behind this attack haven’t been very careful. Since the server was not configured correctly, PandaLabs was able to access it without credentials.

Because of their neglect, PandaLabs was able to see where PunkeyPOS sends the stolen information. In addition to being in front of a panel that is used to access the stolen data, from this panel cybercriminals can reinfect or update current clients (POS bots).

The version of the analyzed PunkeyPOS sample is hardcoded: “2016-04-01”. If we compare this sample with older versions, some from 2014, we can barely see any difference in the way it operates (in the References section of this article you can find links that will go further into detail about how it works.)

PandaLabs has been able to gain access to the control panel of PunkeyPOS, and has geolocated around 200 Point of Sale terminals that were compromised by this specific malware variant. We can see that virtually all the victims are in the United States:

Taking into account how easy it is to sell this information on the black market, and how convenient it is to compromise these POS terminals anonymously through the internet, we are certain that cyber-criminals will be increasingly drawn to these terminals.

Protect your devices proactively from these types of attacks with an advanced cyber-security solution like Adaptive Defense. Real-time control of all inappropriate user operations is in your hands.

References:

http://krebsonsecurity.com/2016/06/slicing-into-a-point-of-sale-botnet/

https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges—Punkey/

Last year, an undisclosed employee from Pennsylvania based Alpha Payroll was wrongly fired because he fell for a deceptive cyber-criminal’s trap. The company, Alpha Payroll, is known for processing payroll solutions for businesses, but now the company will be remembered as the victim of a very large Phishing scam.

It all started when an employee received an email from the company’s CEO that stated, “send me copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Of course, the employee believed the email was legitimate and he fulfilled the CEO’s request. Attentive and obedient, the assistant fulfills his mission.

But the CEO never sent this email, in fact the company had a policy that prohibits employees from sharing W-2 information. But put yourself in the victim’s shoes, a bottom level employee… would you question an email sent to your from the CEO? Unaware that he was victim of a phishing scam, and that his boss was being impersonated, the employee fell for the scam and, later, was fired.

It wasn’t until one of the company’s clients discovered something strange on payrolls and notified the authorities that an investigation was opened. Alpha Payroll was finally involved in the mess but by then it was too late, they were already involved in a cyber-criminal’s Whaling scheme.

Phishing is old-school. It is the most basic form of impersonation without any specific objective. Then spear phishing was discovered, which is more personalized and directed. Now we have what is called whaling, because cyber-attackers are aiming for senior managers exclusively.

How does Whaling work?

It is easy for an attacker to steal identities that belong to company executives and deceive employees. The fraudsters simply go after employees who are less cautious or unfamiliar with detecting internet fraud.

According to the FBI, whaling has become such a big problem that it has already cost companies in 80 different countries more than 2.3 million dollars (more than 2 million euros) in the last three years. Since January 2015, the number of identified victims had increased by 270%, including well-known companies like Mattel, Snapchat and Seagate Technologies.

Whaling has already cost companies in 80 different countries more than 2.3 million dollars (more than 2 million euros).

A great way to protect your business is with a team of duly trained employees, especially those who have access to highly sensitive information or who perform delicate operations like transfers. It is also very important to establish clear policies for transferring information or reports between departments, employees and executives.

The usual protection solutions don’t begin working until after the attack has already been successful, making them impossible to remedy. In order to proactively protect yourself against this type of attack, next-generation EDR solutions are the only option because they look for both unknown and known vulnerabilities. They control 100% of the processes, whether they are malware or goodware, and they are always in control of any strange behaviors.

The last few days have been intense for Apple fans. Last week, Apple’s Worldwide Developers Conference took place, where they presented the company’s new hardware and software. The “bitten apple” went into depth about their new operating systems for iPhone, Mac, Apple Watch and Apple TV but… what about security-related updates?

Following the horrible San Bernardino attack from last December, a controversial topic stemmed regarding the attacker’s iPhone.Apple’s case against the FBI initiated a dispute between user privacy and government access to personal data.

Meanwhile, other giants in the sector, like Facebook and Google, showed their support for Apple by promising to implement more effective encryption tools in the future. WhatsApp was the first to use end-to-end encryption.

Now Tim Cook presents a new file system called APFS, the Apple File System, which incorporates a new encryption system that gives developers multiple options like leave something unencrypted, encrypt it with a unique password, or encrypt it with multiple passwords. The Apple File System is already available online for developers and the new version will leave HFS system and improve security and data encryption.

Why is my Mac vulnerable to advanced threats?

Despite efforts of large security companies, the truth is that no operating system is 100% reliable. Apple computers are not the Macintosh systems that we once knew. Years ago, they had a safety-guarenteed reputation, with a different and solid operating system than others. At that time, hackers targeted computers with Windows operating systems, however, as Apple’s popularity has grown, so have the malicious-code-making hackers. Mac OS X is no longer impregnable and needs mac antivirus software.

In the recent PandaLabs’ Q1 report, experts discussed the latest threats directed specifically towards Apple operating systems. One example of this is the highly powerful ransomware based on Encoder, called KeRanger, which managed to infect Apple users at the beginning of 2016. We all remember the major Trojan attacker flashback and Browlock, also known as the Police Virus or Shellshock. All of the previously mentioned examples confirm that attacks on Mac OS X are growing.

While it is true that the number of threats in the Mac’s operating system are lower than other platforms (such as Windows) we must be aware of the importance of an effective antivirus for Mac in order to fully enjoy our Apple computers. Enough excuses, let’s start preventing viruses!