top of page
  • Roy Urrico

Group-IB Report: Payment Card Attack Could Be Worth $3.3 Million

By Roy Urrico

Finopotamus aims to highlight white papers, research, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.


Fraudsters used two malware variants to steal more than 167,000 payments records, worth an estimated $3.3 million and counting, from point-of-sale (POS) devices, according to a report from pair of researchers at Singapore-based threat intelligence firm Group-IB.


Botnet Monitoring Team Head Nikolay Shelekhov and Analyst Said Khamchiev, both with Group-IB’s Threat Intelligence Unit, authored Treasure Trove. Alive and Well Point-Of-Sale Malware, a study of a lengthy MajikPOS and Treasure Hunter campaigns that infected dozens of POS terminals.


The report described how malware infected terminals enabling cyberthieves to steal payment data stored on the magnetic stripes (magstripes) on the backs of credit and debit cards. Group-IB noted in recent years this type of malware became less popular due to the protection mechanisms embedded in modern credit card processing systems in most countries. But cards with magstripes still exist and represent a severe threat for individuals and businesses where they are part of the payment process, such as the U.S., which remains a desirable target for threat actors seeking to steal magstripe information.


Malware Stealing Card Data


On April 19, 2022, the Group-IB Threat Intelligence identified a Command and Control (C2) server of the POS malware called MajikPOS. Group-IB experts analyzed the server and established that it also hosts a C2 administrative panel of another POS malware called Treasure Hunter, which also collected compromised credit card data.


Shelekhov and Khamchiev also detailed how due to the protection mechanisms in place within the payment processing industry, POS malware has some distinctive features and limitations.


One such mechanism is data encryption implemented during major phases of the payment processing. Decryption occurs only in the random access memory (RAM) of the POS device, where sensitive payment details are stored in plain text. This makes RAM the primary target for POS malware and the process of exfiltrating sensitive card payment details is called RAM scraping.


Almost all POS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing.


A closer look at the profiles of MajikPOS and Treasure Hunter revealed:


· MajikPOS malware first appeared in early 2017, when it targeted POS devices across the U.S. and Canada. “On July 18, 2019, an announcement about the sale of the source code for MajikPOS (aka MagicPOS) was posted on the underground forum ‘exploit[.]in’ by the user cartonash. The threat actors also offered to sell the source code of a shop used to sell dumps collected by the malware,” the report explained. Ever since, MajikPOS circulated on the Dark Web. Group-IB researchers concluded that malware operators initially used a variant of Treasure Hunter, but later augmented their arsenal with more advanced malware, namely MajikPOS.

· POS malware Treasure Hunter, first detected in 2014, features RAM scraping. The initial kill chain phases are similar to MajikPOS. After infecting a POS terminal, the malware enumerates the running processes, extracts all available payment card information from the memory, and forwards this information to a C2. “Treasure Hunter was developed by a threat actor with the nickname Jolly Roger, known for developing malware for an underground forum known for holding stolen payment records.”


Both these malware panels contain information about stolen dumps and infected POS devices. During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. “Given that the malware remains active…the number of victims keeps growing.”

U.S. POS at Risk


Most POS devices infected with Treasure Hunter were compromised in 2021. In 2022, however, the threat actors started using MajikPOS, and most of the devices infected since the beginning of 2022 were compromised using this strain.


The researchers determined that since at least February 2021 and as of September 8, 2022, cybercriminals have stolen more than 167,000 payment records mainly from U.S. POS devices. According to Group-IB’s estimates, the operators could make as much as $3,340,000 from selling the compromised card dumps on underground forums.


The researchers said they shared the information with a U.S.-based financial threat-sharing organization and law enforcement agencies, but the threats remain active.


The report also revealed, “POS malware has become a tool that is rarely used, largely as a result of evolving security measures implemented in modern POS equipment. More and more threat actors in the carding industry are switching to JavaScript sniffers to collect card text data (e.g., bank card numbers, expiration dates, names of owners, addresses, card verification value codes) from e-commerce websites. Few cyber criminals are involved in collecting dumps (data stored on magnetic stripes on bank cards). The C2 server that hosted the panels for the two


White Plastic


POS malware strains discovered by Group-IB stands out on account of the considerable collection of compromised payment records.


“POS malware has become less attractive for threat actors in recent years due to some of its limitations and the security measures implemented within the card payment industry,” maintained the report. “Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices. It is too early to write off POS malware.”


Researchers Shelekhov and Khamchiev suggested although a collection dump itself cannot be used to make online purchases, fraudsters who buy such data can cash out stolen records. “If the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards (called “white plastic”) and withdraw money from ATMs or use the cloned cards for illicit in-person purchases.


“By constantly monitoring underground forums for compromised personal and payment records belonging to their customers, banks and financial organizations can quickly block stolen cards and mitigate risks and further damage,” recommended the report.


An Expert Warning



Erfan Shadabi, comforte AG

Erfan Shadabi, cybersecurity expert with Wiesbaden, Germany–based data security specialists comforte AG, also commented on the risk of malware in general to financial organizations:


“Malware is just one click away,” he said. “The two most important things an organization can do are one, spread cybersecurity awareness and to use a zero-trust approach to make sure that users only get access to sensitive data, when they have the permission and only when it is absolutely necessary. And two, protect the data!”


Shadabi added, “Sure, traditional encryption methods are a consideration, but some algorithms can be easily cracked, and key management and other operational concerns make plain data encryption unattractive. Keep in mind that encrypted information does not possess the original format of the data, so enterprise applications either must be modified or the data must be de-protected. Neither option should be acceptable. Using a stronger, more flexible data-centric method such as tokenization means that data format can be preserved while sensitive data elements are obfuscated with representational tokens.”

bottom of page