Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Botnet Server Harvesting 167,000 Card Dumps Discovered

While Magecart-Style JavaScript Skimmers Predominate, Old-School Attacks Continue
Botnet Server Harvesting 167,000 Card Dumps Discovered
Login screen for MajikPOS command-and-control portal (Source: Group-IB)

Payment card data theft remains alive and well in the cybercrime underground.

See Also: Check Kiting In The Digital Age

Security researchers say attackers typically target payment card data using so-called Magecart tactics, which refers to using "digital skimmers" or sniffers, typically in the form of JavaScript, that they surreptitiously install onto e-commerce site servers to grab card data that is input by customers. Data stolen in such attacks typically includes card numbers, expiration dates and CVVs, as well as payment card owners' names and addresses.

Some attackers appear to be keeping their efforts more old-school. Cybersecurity firm Group-IB reports that earlier this year, it discovered a server running active command-and-control software designed to control two different types of point-of-sale malware: Treasure Hunter and MajikPOS.

Both types of malware are designed to scrape point-of-sale device RAM for dumps, which refers to capturing a complete digital copy of all information stored on a card's magnetic stripe. "POS malware has become a tool that is rarely used, largely as a result of evolving security measures implemented in modern POS equipment," researchers Nikolay Shelekhov and Said Khamchiev, of Group-IB's botnet monitoring team, write in a blog post.

With the widespread use of JavaScript sniffers, who needs or wants dumps these days? "Although a dump itself cannot be used to make online purchases, fraudsters who buy such data can cash out stolen records," the researchers write. "If the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards - 'white plastic' - and withdraw money from ATMs or use the cloned cards for illicit in-person purchases."

During their investigation, the researchers found not one but two strains of POS malware on the aforementioned server: Treasure Hunter, built by one "Jolly Roger" and first detected in the wild in 2014, after which the source code leaked onto a Russian-language cybercrime forum in 2018; and MajikPOS - aka MagicPOS - which was first spotted in early 2017, after which its source code was reportedly sold in July 2019 and became more widely available. Treasure Hunter and MajikPOS are both available for sale via the Exploit and XSS Russian-language cybercrime forums, making it difficult to attribute the use of either "to a particular threat actor," the researchers say.

Source: Group-IB

As of Sept. 8, the researchers report, the server they found had accumulated about 90,000 dumps via Treasure Hunter infections, which were mostly gathered in 2021, plus 77,400 card dumps via MajikPOS infections, to which the attack group or individual who runs the server apparently switched this year. The vast majority of the infections are tied to POS devices in the United States and cards issued by U.S. banks, and the number of dumps being accumulated continues to grow.

Singapore-based Group-IB says it has shared its findings with law enforcement. For the server, "the IP address was bought in March 2019 by a smaller provider who buys collocation services from NFOrce," which is a Dutch internet service provider, Group-IB's Shelekhov tells Information Security Media Group. "Their servers are definitely located in the Netherlands, according to BGP data from Looking Glass." But he says it's not clear if the small provider purports to be offering bulletproof and abuse-resistant hosting.

How do attackers sneak their POS malware onto devices? Typically, they'll begin "scanning for open and poorly secured VNC (virtual network computing) and RDP (remote desktop protocol) ports," or by purchasing credentials from cybercrime forums or initial access brokers, the researchers report. "MajikPOS collects information about each victim and uses various modules to scan for machines that host payment POS records."

Carder Markets

The Group-IB researchers say it's unclear if the card dumps have been sold on the cybercrime underground. But since the average card dump retails for $20, they said the stolen data would have a street value of $3.3 million.

For fencing the stolen card data, options abound, especially in the Russian-language cybercrime ecosystem. From 2019 to 2021, Joker's Stash was the dominant carder forum before bowing out.

Vying to replace it, according to threat intelligence firm Kela, were a variety of other forums, including Brian's Club, Vclub, Yale Lodge and UniCC. But earlier this year, UniCC and affiliated site LuxSocks were disrupted by Russian authorities, as were rival offerings Ferum Shop, Sky-Fraud and Trump's Dumps, aka TDStore.

Since then, Beatriz Pimenta Klein and Lidia López Sanz, both threat intelligence analysts at Blueliv - the threat intel division of security vendor Outpost24 - report that "Brian's Club remains one of the most prominent and long-lived automated vending carts in the ecosystem," thanks in no small part to the market offering buyers numerous protections.

Another big player is Rescator, which became infamous in the mid-2010s for selling payment card data from numerous high-profile breaches, including data from Home Depot, P.F. Chang's, Sally Beauty and Target.

The site went offline in 2019, only to reappear in mid-2021. "Rescator's case demonstrates how this landscape can be highly volatile and that inactive card shops are not always permanently gone," the Blueliv researchers say.

Summary of Brian's Club's features, including payment methods, additional tools and prices (Source: BlueLiv)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.