Thousands of Cards Compromised at Retailers’ POS

More than 20,000 payment cards have been compromised at retailers’ and restaurants’ point-of-sale terminals and servers since August, thanks to a new malware botnet. The tech that the criminals have used in this case is one of the first-known –and very advanced –botnets targeting POS terminals. The “infections” observed by IntelCrawler in this case allow attackers to corral large numbers of POS devices into a single botnet, Ars Technica wrote on its web site. “The interface makes it easy to monitor the activities of infected machines in real time and to issue granular commands. In short, they are to POS terminals what ZeuS, Citadel, and other banking trojans are to online bank accounts,” Ars Technica wrote. The code helping to streamline the process has been dubbed StarDust, a major revision of the Dexter malware that targets POS devices. "Approximately 20,000 credit cards may have been compromised via this StarDust variation and evidence has been sent to the card associations to determine the points of compromise," Dan Clements, the president of IntelCrawler, wrote in an email, IT World reported. While the botnet allows more retailers and restaurants to be impacted, POS data compromise is not new. The most well-known case in 2012 compromised 200 POS terminals at Subway restaurants and some smaller retailers. The international conspiracy spanned from 2009 to 2011 and caused more than $10 million in losses. The criminals hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. In that case, the criminals infected retailers’ and restaurants’ servers with "sniffing" software that logged payment card numbers and sent them to a remote server. However, there was no evidence of a botnet that controlled all of the infected machines at once, as with the Stardust botnet. Here’s how the new botnet organizers have managed to infiltrate multiple retailers’ POS systems in the past six months: “StarDust developers have intimate knowledge of the inner workings of POS applications such as Clearview POS. As a result, the malware can ferret out where in computer memory sensitive data, in some cases in cleartext form, is stored. StarDust can also sniff network traffic and is able to extract Track1 and Track2 card data. To remain covert, the software transfers card details only when the terminal is inactive and the screensaver is on. It also uses the RC4 cipher to encrypt data before sending it to the control server,” Ars Technica wrote. The StarDust botnet uses two command-and-control servers located in Moscow and St. Petersburg, Russia, according to IntelCrawler. The servers appear to be controlled by a gang with ties to the infamous Russian Business Network cybercriminal organization. IntelCrawler is monitoring the main server, which is still active, and has alerted law enforcement agencies about it, IT World reported. We hope that law enforcement officials are able to track down the culprits. Now, the outstanding question of great concern is, why weren’t retailers notified about this sooner? Why is this alarming card fraud method just making the news in December, even though it began back in August?