Point of sale malware campaign targets hospitality and entertainment businesses

Credit card data-stealing attacks use a technique rarely deployed in POS malware to help avoid detection - and are thought to have been operating since 2016.
Written by Danny Palmer, Senior Writer

A newly-discovered cybercrime campaign is targeting restaurants, cinemas and other retailers in the entertainment and hospitality industries with point-of-sale (POS) malware in an ongoing effort to steal credit card information from customers.

Known as DMSniff, the malware is thought to have been active since 2016, having managed to fly under the radar until now, having been uncovered and detailed by researchers at cybersecurity intelligence company Flashpoint. 

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

The key targets of DMSniff are small- and medium-sized companies that rely heavily on card transactions, such as the food, hospitality and entertainment industries.

What sets DMSniff apart from other forms of POS malware is how it uses a domain generation algorithm (DGA) to create command-and-control domains on the fly, helping it to resist takedowns and bypass simple blocking mechanisms.

This is beneficial for the attackers because if domains are taken down by law enforcement or hosting providers, the malware can still communicate with the compromised POS device — and continue to transfer stolen data.

In total, researchers have uncovered 11 variants of the DGA — when such techniques are rarely seen in POS malware campaigns, potentially pointing to it being the work of a knowledgeable cyber-criminal operation.

It's thought that DMSniff malware drops begin with attackers deploying a combination of brute-force attacks in an effort to bypass poor passwords and by scanning for vulnerabilities that can easily be exploited if POS machines are unintentionally left exposed to the open internet. It's also possible that attackers could compromise the device by physically tampering with it.

No matter how the malware is delivered, the goal is the same: to steal credit card information. DMSniff scrapes information from the magnetic stripes on payment cards when it's swiped through a terminal — but before it's encrypted and sent to the payment processor. Using the magnetic stripe on a card is rare in the UK but more common in the US.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

By doing this, the information is sent to a command and control server operated by the attackers, who can bundle stolen credit card numbers together and attempt to sell it for a profit on underground forums. Alternatively, they could attempt to abuse the stolen card information to make transfers and purchases for themselves — although that would increase the risk of getting caught.

In order to help avoid detection and analysis by security researchers and law enforcement, DMSniff employs a string-encoding routine to hide and, in the case of being discovered, to attempt to hide how the malware works. Given how it still isn't known for sure how it arrives on compromised systems, this appears to have worked, to some extent.

Researchers have uncovered organisations around the world that have fallen victim to DMSniff. Where possible, they've worked to inform the companies and their customers that they've been victims of a cyberattack.

"There doesn't appear to be targeting by region because we've found infections in various countries. All stolen data was sent to the authorities. In cases where we had merchant IDs from the stolen data, we have been successful in working with the appropriate financial institutions to contact the victims,"  Jason Reaves, principal threat researcher at Flashpoint told ZDNet.

While DMSniff is thought to have been active for a number of years, this appears to be the first time it has been used in a widespread campaign — which is believed to still be ongoing.

In order to protect against the attacks, Flashpoint recommends that organisations regularly update all attack surfaces — including POS machines. Researchers have also provided the indicators of compromise for DMSniff.  


Editorial standards