TreasureHunt malware steals POS credit card data from retailers

Malicious software is being targeted at smaller businesses because they're less likely to have secure systems, warns FireEye.
Written by Danny Palmer, Senior Writer

TreasureHunt allows criminals to steal credit card payment data from retailers.

Image: iStock

Custom-built malware is stealing credit card details directly from retail point-of-sale (POS) systems, cybersecurity researchers have warned.

The malware, dubbed TreasureHunt, has been observed by FireEye, which has warned the POS-targeting software is being used to steal information from specific organisations.

TreasureHunt appears to target US retailers using older, less secure POS systems, which rely on 'swipe', rather than chip and PIN, cards to authorise payments.

Once a POS machine is infected, the software will enumerate the running processes, extract payment card information from memory, and transmit this information to a command and control server, wrote Nart Villeneuve, a threat researcher at FireEye in a blog post about the malware.

Examination of the TreasureHunt code points to the source of the malware as BearsInc, who FireEye describes as "an actor on an underground cybercrime forum dedicated to credit card fraud". Such forums typically allow users to buy and sell stolen payment information.

The developer of TreasureHunt posts under the handle of 'Jolly Roger', with the pirate theme continued via the skull and crossbones icon used by the web interface for controlling compromised systems.

It is thought this strain of POS-targeting malware was first deployed in 2014 and it's appeared more frequently in 2015 and 2016 as criminals look to infect outdated systems before US retailers complete the transition to chip-based, rather than swipe-based payment systems.

"In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless," said Villeneuve.

"Many cybercriminals are looking to take advantage of memory scraping POS malware while it still works," he continued, adding that SMBs are the main target for POS malware.

"With an increasing number of major firms transitioning to the more secure chip-enabled cards, we expect to see cybercriminals increasingly turn their attention to smaller retailers and banks that may not be as prepared for the transition," Villeneuve concluded.

Read more on malware

Editorial standards